Engagement Overview
| Field | Detail |
|---|
| Organization | Manufacturing company (anonymized) |
| Environment | Microsoft 365 Business Premium, ~100 users, Entra ID tenant |
| Objective | Implement Zero Trust security model across M365 tenant — MFA enforcement, Conditional Access, identity hardening |
| Previous State | MFA not enforced, no Conditional Access policies, shared admin credentials, legacy authentication enabled |
| Outcome | MFA enforced for all users · 12 Conditional Access policies · Legacy auth blocked · PIM for privileged roles · Intune device compliance |
Executive Summary
The organization had a standard Microsoft 365 deployment with no meaningful identity security controls. MFA was enabled for approximately 40% of users via the legacy per-user toggle, but was not enforced via policy — meaning users could skip registration indefinitely. Legacy authentication protocols (Basic Auth, IMAP, POP3) remained active, providing a direct MFA bypass path since these protocols don't support modern authentication.
Four users held Global Admin privileges using their daily-driver accounts with shared credentials. This configuration represented a critical identity-based attack surface. A credential phishing campaign or password spray would likely succeed — and with no MFA enforcement and active legacy auth, an attacker would gain full mailbox and potentially tenant-wide access without triggering a second factor.
The Zero Trust project addressed these risks through MFA enforcement via Conditional Access, deployment of 12 CA policies for risk-based access control, complete blocking of legacy authentication, admin account separation with Privileged Identity Management (PIM), and Intune device compliance enforcement — executed over four weeks with each CA policy deployed in report-only mode before enforcement.
Phase 1 — Tenant Assessment
MFA Enrollment Audit
| MFA Status | User Count | Percentage |
|---|
| MFA enrolled and active | ~40 users | ~40% |
| MFA enabled but not registered (user never completed setup) | ~15 users | ~15% |
| MFA not enabled | ~45 users | ~45% |
| MFA enforced via Conditional Access | 0 users | 0% |
Legacy Authentication Analysis
# PowerShell — Query legacy auth sign-ins from Entra ID logs
Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogSignIn -Filter "clientAppUsed eq 'Exchange ActiveSync' or clientAppUsed eq 'IMAP4' or clientAppUsed eq 'POP3' or clientAppUsed eq 'Other clients'" -Top 500
| Legacy Protocol | Active Users | Risk |
|---|
| IMAP4 | 8 users | MFA bypass — IMAP does not support modern auth |
| POP3 | 3 users | MFA bypass — POP3 does not support modern auth |
| Exchange ActiveSync | 12 users | Partial risk — some ActiveSync clients support modern auth |
| Basic Auth (other) | 5 users | MFA bypass — service accounts using Basic Auth |
Key risk: Any user with an active legacy auth session could be compromised via phishing or password spray, and MFA would not protect them because the legacy protocol bypasses it entirely.
Privileged Account Audit
| Finding | Detail |
|---|
| Global Admin accounts | 4 users held Global Admin — all using their standard daily-use accounts |
| Shared credentials | Admin credentials shared among IT staff via informal methods |
| No dedicated admin accounts | No separation between admin and standard user identities |
| No PIM | Privileged roles permanently assigned — no just-in-time elevation |
| No break-glass accounts | No emergency access accounts configured |
Phase 2 — MFA Enforcement
Authentication Method Policy
| Method | Status | Rationale |
|---|
| Microsoft Authenticator (push) | Primary — Required | Phishing-resistant, supports number matching |
| TOTP (authenticator app code) | Secondary — Allowed | Fallback for users without push capability |
| SMS | Disabled | SIM swap attacks; NIST deprecated SMS for MFA |
| Phone call | Disabled | Social engineering / vishing risk |
| Email OTP | Disabled | Email compromise defeats the MFA purpose |
# Configure Authentication Methods Policy via Microsoft Graph
Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations @(
@{
Id = "MicrosoftAuthenticator"
State = "enabled"
IncludeTargets = @(@{ TargetType = "group"; Id = "all_users" })
},
@{
Id = "Sms"
State = "disabled"
}
)
Phased MFA Enforcement
| Phase | Timeline | Action |
|---|
| 1. Communication | Week 1 | Email announcement with instructions; in-person walkthrough for production-floor staff |
| 2. Soft enforcement | Weeks 1–2 | Conditional Access in report-only mode — logs impact, no enforcement |
| 3. Grace period | Weeks 2–3 | MFA enforcement with 14-day registration grace period |
| 4. Hard enforcement | Week 4+ | Grace period expired — users without MFA registration blocked from sign-in |
Phase 3 — Conditional Access Policy Deployment
All 12 policies were deployed using a staged approach: Report-Only (1 week) → Enforce with Exclusion Group (1 week) → Full Enforcement.
Conditional Access Policy Matrix
| # | Policy | Users | Grant/Session Control |
|---|
| 1 | Require MFA — All Users | All users (excl. break-glass) | Require MFA |
| 2 | Require MFA — All Admins | Global Admin, User Admin, Exchange Admin, Security Admin | Require MFA + compliant device |
| 3 | Block Legacy Auth — All Users | All users | Block access via Exchange ActiveSync, Other clients |
| 4 | Block Legacy Auth — Admins | All admin roles | Block access via IMAP, POP3, Other clients |
| 5 | Require Compliant Device — M365 | All users | Require Intune-compliant device for Office 365 apps |
| 6 | Geo-Restriction — Block High-Risk Countries | All users | Block access from named high-risk locations |
| 7 | Risky Sign-In — Require MFA | All users | Require MFA on medium/high sign-in risk (Identity Protection) |
| 8 | High User Risk — Block + Password Reset | All users | Block access; require password change |
| 9 | High Sign-In Risk — Block | All users (excl. break-glass) | Block access on high sign-in risk |
| 10 | Azure Portal — Require MFA | All users | Require MFA + compliant device for Azure Management |
| 11 | Sensitive Data — Compliant Device Required | All users | Require hybrid Azure AD join or compliant device for sensitive SharePoint |
| 12 | Unmanaged Devices — Session Restriction | All users | App-enforced: no download, limited web access |
Phase 4 — Privileged Identity Hardening
Admin Account Separation
| Before | After |
|---|
user@contoso.com — Global Admin + daily email/Teams | user@contoso.com — Standard user (no admin access) |
| — | user.admin@contoso.com — Dedicated admin account (no mailbox, admin portals only) |
| 4 permanent Global Admins, shared credentials | 0 permanent Global Admin — PIM for just-in-time elevation only |
Privileged Identity Management (PIM)
| PIM Setting | Configuration |
|---|
| Eligible roles | Global Admin, Exchange Admin, SharePoint Admin, Security Admin |
| Activation requirement | MFA + justification text required |
| Maximum activation duration | 8 hours |
| Approval required | Yes — for Global Admin; self-approval for other roles |
| Notification on activation | Email to Security distribution group |
PIM Workflow Example:
1. Admin needs to modify tenant-level setting
2. Admin signs into Entra ID with dedicated admin account
3. Admin requests PIM activation for Global Admin role
4. Admin provides MFA + written justification
5. Approval granted (or auto-approved for non-GA roles)
6. Role active for up to 8 hours, then automatically revoked
7. Full audit trail logged in Entra ID audit logs
Phase 5 — Device Compliance (Intune)
Compliance Policy Requirements
| Setting | Requirement |
|---|
| Operating system | Windows 10 21H2 or later / Windows 11 |
| BitLocker | Required — full disk encryption |
| Antivirus | Required — active and up to date (SentinelOne validated via Intune integration) |
| Firewall | Required — Windows Firewall enabled |
| OS patch level | Within 30 days of latest security update |
| Password complexity | Minimum 12 characters |
| TPM | Required — hardware security module present |
Metrics & Outcomes
| Metric | Before | After |
|---|
| MFA coverage | ~40% enrolled, 0% enforced | 100% enforced via Conditional Access |
| Legacy authentication | IMAP, POP3, Basic Auth active | Blocked for all users and admins |
| Conditional Access policies | 0 | 12 policies (report-only → enforced over 4 weeks) |
| Global Admin accounts | 4 users (shared credentials, permanent) | 0 permanent — PIM for just-in-time elevation |
| Admin account separation | None — admin roles on daily-use accounts | Dedicated admin accounts with no mailbox |
| Identity risk monitoring | None | Entra ID Identity Protection + Log Analytics alerts + PIM audit trail |
| Device compliance enforcement | None | Intune — non-compliant devices blocked after 7-day grace |
| Authentication methods | Mixed — SMS, phone call, app (no policy) | Microsoft Authenticator enforced, SMS/phone disabled |
Attack Scenario: Before vs. After
Scenario: Attacker sends phishing email with fake M365 login page to harvest credentials.
| Stage | Before Hardening | After Hardening |
|---|
| Credential capture | Attacker obtains password | Same — phishing still captures the password |
| Authentication | Attacker signs in successfully — no MFA enforced | Blocked — Conditional Access requires MFA |
| Fallback: Legacy auth | Attacker uses IMAP to access mailbox — bypasses MFA | Blocked — Legacy authentication blocked by CA policy |
| Fallback: Password spray | Attacker tries other accounts with common passwords | Blocked — Identity Protection detects spray; CA blocks high-risk sign-ins |
| Privilege escalation | Permanent Global Admin access via shared credentials | Blocked — No mailbox target; PIM requires MFA + approval for elevation |
Findings & Remediation
| # | Finding | Severity | Recommendation |
|---|
| 1 | MFA not enforced — users can skip registration indefinitely | Critical | Enforce MFA via Conditional Access; retire per-user MFA toggle |
| 2 | Legacy auth enabled — IMAP, POP3, Basic Auth active (MFA bypass) | Critical | Block all legacy auth via CA; migrate affected users to modern auth clients |
| 3 | Shared Global Admin credentials | Critical | Individual dedicated admin accounts; PIM for just-in-time elevation |
| 4 | No Conditional Access policies configured | High | Deploy minimum 8 baseline CA policies covering MFA, legacy auth, device compliance |
| 5 | No identity-based risk monitoring or alerting | High | Enable Entra ID Identity Protection; configure alerts for risky sign-ins and impossible travel |
| 6 | No break-glass emergency access accounts | High | Create 2 cloud-only emergency accounts; exclude from CA policies; monitor all sign-ins |
| 7 | SMS enabled as MFA method | Medium | Disable SMS (SIM swap risk, NIST deprecated); enforce Microsoft Authenticator |
| 8 | No device compliance requirements for M365 access | Medium | Enroll devices in Intune; enforce compliance policy; block non-compliant devices via CA |
| 9 | Guest accounts with no access review or expiration | Medium | Configure quarterly access reviews; require MFA for guests; remove stale accounts |
| 10 | No audit log retention policy | Medium | Configure minimum 90-day sign-in log retention; export to Log Analytics |
MITRE ATT&CK Coverage
| Technique ID | Technique | How Mitigated |
|---|
| T1078 | Valid Accounts | MFA enforcement prevents use of stolen credentials without second factor |
| T1110 | Brute Force / Password Spray | Conditional Access + Identity Protection detect and block spray patterns |
| T1556 | Modify Authentication Process | Legacy auth blocking eliminates the primary MFA bypass vector |
| T1566 | Phishing | MFA stops phished credentials from being usable; Identity Protection flags suspicious sign-ins |
| T1098 | Account Manipulation | PIM prevents unauthorized privilege escalation — elevation requires MFA + approval + audit trail |
| T1528 | Steal Application Access Token | Session policies on unmanaged devices limit token exposure |
| T1114 | Email Collection | Legacy auth blocking prevents direct mailbox access via IMAP/POP3 |
Tools Used
This write-up reflects a real-world engagement. Organization details have been anonymized. Security configurations and outcomes are based on actual deployment results.