Turning on two-factor authentication is the most common piece of advice a company hears after its first incident. Rightly so, because MFA blocks the vast majority of simple password attacks. The problem is that many organisations stop there and consider the matter closed. In the real cases we handle, Microsoft 365 is compromised despite MFA being enabled. Not because MFA is useless, but because it is one element, not the whole of protection.

How an attacker bypasses the second factor alone

MFA verifies the sign-in at a single point. A modern attack aims around that point.

  • Phishing with session hijacking (AiTM). The attacker sets up an intermediary page that passes your credentials and code to the real Microsoft, and in return steals your session token. Once you have signed in, they no longer need your password or code.
  • MFA fatigue. The victim receives a series of approval prompts in the app until, tired, they tap approve. A trivial method, yet still effective with tap-style notifications.
  • Legacy authentication. Old protocols such as IMAP, POP3 or SMTP AUTH often do not support MFA at all. If they are not blocked, they are an open door.
  • Consent to malicious OAuth apps. A user grants consent to an app that then reads their mail and files without any further sign-in.

In most of the Microsoft 365 incidents we have analysed, the attacker did not break MFA. They came in from the side: through a stolen token, an old protocol or OAuth consent. The second factor alone does not see this.

Conditional access, or a decision instead of a gate

Conditional Access in Entra ID is a layer that turns a sign-in from a single gate into a decision based on context. Instead of asking only whether you know the password and code, the system asks who, from where, from which device and in what situation is signing in.

The practical policies we deploy first:

  1. Blocking legacy authentication for the whole organisation. This is one change that closes the most common gap.
  2. A requirement for a compliant device for access to company data, for example a device managed in Intune.
  3. Geographic and risk-based restrictions. A sign-in from an unusual country or with elevated risk requires extra verification or is blocked.
  4. Phishing-resistant MFA methods for privileged accounts: FIDO2 keys or Windows Hello instead of SMS codes.

The key mental shift: MFA answers the question is this you, conditional access answers the question are you allowed in under these conditions. Only together do they form a sensible barrier.

Entra ID as the foundation of identity

In the Microsoft cloud, identity is the new network perimeter. There is no longer a firewall wall around everything, but there is an account with access to mail, files and applications from anywhere. That is why order in Entra ID determines the real level of security.

What we look at during an identity audit:

  • Privileged accounts. How many global administrators there are, whether they use separate administrative accounts and whether they apply PIM, meaning time-bound permissions.
  • Dormant accounts and former employees. An active account of someone who left six months ago is a ready entry point.
  • Password hygiene and self-service reset. Forced change of weak passwords and a controlled process for recovering access.
  • MFA method registration. Whether every user has a strong method registered before an attacker does it for them.

Microsoft Defender, or visibility after sign-in

Even the best sign-in policy will not catch everything. You need a layer that watches what is already happening inside. Microsoft Defender provides this visibility in several places at once.

  • Defender for Office 365 filters phishing and malicious attachments before they reach the mailbox, and checks links at the moment of clicking.
  • Defender for Cloud Apps detects unusual account behaviour: mass file downloads, creating mail forwarding rules or sign-ins from two distant locations in a short time.
  • Defender for Endpoint correlates signals from devices, so a compromised account on an infected laptop is linked to a real threat.

A mail forwarding rule quietly set on the management board’s mailbox is a classic sign of compromise. MFA alone will not see it. Defender will.

Identity management (IAM) as a process, not a one-off configuration

Microsoft 365 security is not a state but a process. Identity and access management (IAM) means that access is created, changed and expires in a controlled way throughout the employee lifecycle.

  • Onboarding. A new employee gets exactly the permissions they need and nothing more. The principle of least privilege from day one.
  • Role change. A promotion or a move to another department is an opportunity to remove old permissions, not just add new ones.
  • Offboarding. An employee leaving means immediately blocking the account and revoking active sessions, not a week of delay.
  • Access review. A recurring review of who has access to what, especially to sensitive data and shared accounts.

These four points sound simple, but in companies with no process this is exactly where gaps build up: ghost accounts, permissions after promotions and sessions that never expired.

Where to start

If you have MFA enabled and want to take a real next step, the order is usually this:

  1. Block legacy authentication and check that nothing is left using it.
  2. Deploy basic conditional access policies based on device and risk.
  3. Bring order to privileged accounts and enable phishing-resistant MFA for administrators.
  4. Enable and configure Defender to see what happens after sign-in.
  5. Set a repeatable IAM process for the whole employee lifecycle.

MFA is the foundation, not the roof. If you want your company Microsoft 365 to be resilient to today’s attacks, we will help put the whole thing in order: from Microsoft 365 deployment to configuring identity and protection. Start with a conversation about what actually protects your accounts today, and what only looks like protection.