Identity-First Security for Microsoft 365: What SMBs Should Actually Deploy

Your employees sign into Microsoft 365 dozens of times a day across laptops, phones, and browsers. Every one of those sign-ins is a decision point: is this really the person they claim to be, and should they have access to what they are requesting? For small businesses running on M365, Entra ID (formerly Azure AD) is the single system that answers both questions. That makes it the most important security control in your environment.

Attackers have noticed. Microsoft reported that identity-based attacks increased 300% in 2025, with adversary-in-the-middle phishing and session cookie theft now bypassing traditional MFA at scale. The perimeter firewall does not help when the attack vector is a legitimate-looking login from a stolen token. Identity security is where the fight is happening, and most SMBs are defending it with the equivalent of a screen door.

This post is part of our cyber resilience roadmap for small businesses. Identity hardening is the first shift because it delivers the highest security impact per dollar spent.

Why Identity Outranks the Firewall

A traditional security model puts the firewall at the center. Traffic flows through the perimeter, and anything inside the network is relatively trusted. That model broke when employees started working from home, accessing cloud apps from personal devices, and authenticating through browser-based portals that never touch the corporate network.

For a 75-person company running Microsoft 365, the majority of sensitive data access happens through Entra ID authentication. Email, SharePoint, Teams, OneDrive, and any third-party apps federated through Entra ID all rely on the same identity. Compromising one user’s credentials or session token can grant access to email history, shared documents, financial records, and internal communications. No firewall rule applies.

The Verizon 2025 Data Breach Investigations Report found that stolen credentials were the top initial access vector for the third consecutive year. At SMB scale, where a single IT person often manages the entire M365 tenant, identity misconfigurations compound quickly. Default settings that were acceptable for a 10-person company become serious vulnerabilities at 75 users.

Five Controls That Close the Biggest Gaps

These five Entra ID configurations are available in Microsoft 365 Business Premium licensing, which most SMBs already have. They require no additional products, just proper setup.

1. Phishing-Resistant MFA for Admin Accounts

Standard MFA with push notifications is vulnerable to MFA fatigue attacks, where an attacker floods a user with approval prompts until they tap “approve” to make it stop. Phishing-resistant methods eliminate this vector entirely.

For global admins, Exchange admins, and any account with elevated privileges, require FIDO2 security keys or passkeys. These hardware-bound credentials cannot be phished because the authentication happens through a cryptographic challenge between the key and the identity provider. A YubiKey costs $25-50 per key. For a company with three to five admin accounts, that is under $250 for the strongest authentication method available.

For all other users, enable Microsoft Authenticator with number matching as the minimum standard. Number matching requires the user to type a two-digit code displayed on the sign-in screen into their Authenticator app, which defeats blind-approval attacks.

2. Conditional Access Policies

Conditional Access evaluates the context of every sign-in attempt and applies rules before granting access. These policies are the enforcement layer that turns identity into a real security boundary.

Start with four policies that cover the most common attack patterns:

• Block sign-ins from countries where you have no employees or customers. Geo-blocking alone stops a large volume of automated credential-stuffing attempts. Most SMBs operate in one or two countries, which makes the block list simple.
• Require compliant or hybrid-joined devices for access to SharePoint and OneDrive. This prevents a stolen password from being used on an unmanaged device to download sensitive files.
• Require MFA for all users, every sign-in. Combined with the MFA methods above, this eliminates the “trusted location” bypass that many SMBs still rely on.
• Block legacy authentication protocols. Older protocols like POP3, IMAP, and SMTP AUTH do not support MFA. If they are still enabled, an attacker with a stolen password can access email without any second factor. Most businesses have no legitimate need for these protocols.

3. Sign-In Risk and User Risk Policies

Entra ID Protection evaluates sign-in attempts against Microsoft’s threat intelligence and flags anomalies. Impossible-travel detections catch an account signing in from Dallas and then from Eastern Europe 20 minutes later. Anomalous token detections identify sessions using stolen cookies.

Configure sign-in risk policies to require MFA re-authentication for medium-risk events and block access for high-risk events. For user risk policies, require a password change when the risk level indicates likely credential compromise.

These policies generate false positives, but for a small user base, the noise is manageable. An IT provider or MSP reviewing flagged sign-ins weekly can triage these in minutes.

4. Session Lifetime Controls

A stolen session cookie is valid until it expires. Default M365 session lifetimes can extend for days, giving an attacker a wide window to extract data or establish persistence. Shortening session lifetimes limits the damage a stolen token can cause.

Set Conditional Access session controls to require re-authentication every eight hours for standard users and every one hour for admin accounts. For browser-based access from unmanaged devices, use app-enforced restrictions through Defender for Cloud Apps to prevent downloads entirely.

The tradeoff is user convenience. Re-authentication prompts are mildly disruptive. For most businesses, the security benefit outweighs the friction, especially after explaining to employees why the prompt exists.

5. Mailbox Forwarding and Delegation Auditing

Business email compromise (BEC) attacks frequently create hidden mailbox forwarding rules that silently copy incoming email to an external address. The attacker uses these rules to intercept invoices, wire transfer requests, and sensitive communications.

Disable client-side forwarding rules to external domains as a transport rule in Exchange Online. Audit existing forwarding rules monthly. Review mailbox delegation permissions to ensure that no unauthorized accounts have “Send As” or “Full Access” rights.

This control costs nothing and blocks one of the most financially damaging attack techniques. The FBI’s IC3 report consistently ranks BEC as the highest-dollar cybercrime category, with losses exceeding $2.9 billion annually in the U.S.

What to Ask Your IT Provider

If you work with a managed security provider or MSP, ask these questions about your M365 tenant:

• Which MFA methods are enforced, and are admin accounts on phishing-resistant MFA?
• How many Conditional Access policies are active, and what do they cover?
• Are legacy authentication protocols fully disabled?
• What is the session lifetime for standard and admin users?
• When was the last time mailbox forwarding rules were audited?

If your provider cannot answer these questions, or if the answers reveal gaps, your identity perimeter is weaker than your firewall. Closing these gaps is the single highest-impact security investment a small business can make in 2026. For the broader context on how identity hardening fits into a complete resilience strategy, read our cyber resilience roadmap for small businesses.