Identity Security is today the most critical area of IT infrastructure protection. Over 80% of security breaches begin with compromised credentials, and the dissolution of the traditional network perimeter through remote work and cloud adoption has made user identity the only reliable boundary for access control. This guide describes concrete, implementation-level steps for IT administrators responsible for securing Microsoft environments (Active Directory, Entra ID) in 2026.
Identity Is the New Security Perimeter
For decades, IT security was built on a castle model: a thick outer wall (firewall, VPN, DMZ) protected everything inside. That model collapsed with the widespread adoption of remote work, SaaS, and cloud computing. Today, users connect to company resources from home networks, coffee shops, and mobile devices — from locations entirely outside any organizational control.
In this context, the only control that matters is identity control: who is connecting, from which device, from which location, at what time, and to which resources. The Verizon Data Breach Investigations Report 2024 confirms that stolen or abused credentials are responsible for over 80% of data breaches. For an IT administrator, this means one thing: if identity control is weak, the rest of the security infrastructure is irrelevant.
Migration to Microsoft 365, Azure, and hybrid models means that classic Active Directory increasingly coexists with Entra ID (formerly Azure AD). A hybrid environment creates new attack vectors — password hash synchronisation through Entra Connect, federation, pass-through authentication — each requiring separate analysis and hardening. Identity Security in 2026 means managing both on-premises and cloud identities.
Identity Security Foundations
Multi-factor authentication (MFA) is a foundation that is not optional in 2026. Obtaining a password through phishing or credential stuffing is trivial — MFA ensures that a password alone is insufficient. The choice of MFA method, however, matters significantly:
- FIDO2/Windows Hello for Business — the only phishing-resistant method. Required for all administrative accounts and accounts with access to sensitive data. Security keys (YubiKey, Google Titan) or hardware-backed Windows Hello eliminate the possibility of token interception by an attacker on a fake site.
- Authenticator app (Microsoft Authenticator, Duo) — the minimum for all users. Significantly better than SMS, which is vulnerable to SIM swapping. Enable "number matching" and "additional context" in Microsoft Authenticator to prevent MFA fatigue attacks.
- SMS/email OTP — avoid where possible. Vulnerable to SIM swapping and SS7 attacks. Acceptable only as a fallback for users without a smartphone.
Conditional Access in Entra ID is the policy engine that determines who can access resources, from where, and under what conditions. Key policies to implement:
- Require MFA for all users — no exceptions for "legacy" accounts or service accounts.
- Block sign-ins from countries where your organisation does not operate.
- Require device compliance for access to corporate data — unmanaged devices should have limited or zero access.
- Sign-in risk and user risk policies — automatic block or re-verification requirement when suspicious activity is detected.
Least Privilege — regular review of user permissions and removal of excessive roles. Projects end, but permissions often remain indefinitely. Implement time-bound access for projects and access to sensitive resources — permissions expire automatically when the time limit is reached.
Securing Privileged Accounts
Privileged accounts (Domain Admin, Enterprise Admin, Global Admin in M365) are the primary target for attackers — compromising a single such account often means full control over the infrastructure. Protecting these accounts requires separate, rigorous procedures.
Privileged Access Management (PAM) — storing privileged account credentials in a secure vault, recording administrative sessions, requiring dual approval for critical operations. PAM solutions (CyberArk, Delinea, Microsoft PIM) make credential theft harder and create a full audit trail of administrative actions.
Tiered Access Model — the three-tier model separates administrative from user environments:
- Tier 0: domain controllers, PKI systems, identity management tools — access only from dedicated, isolated administrative workstations (PAWs — Privileged Access Workstations).
- Tier 1: application servers, file servers — separate administrative accounts, not used for daily work.
- Tier 2: user workstations — local administrators managed by LAPS.
Just-in-Time Access (JIT) through Microsoft Entra PIM (Privileged Identity Management) — no permanent assignments to Domain Admin or Global Admin roles. Privileges are activated on demand for a pre-defined period (e.g. 1-4 hours), require justification, and are approved by a manager or automatically upon meeting conditions. After the time limit, privileges are automatically revoked.
Dedicated administrative accounts — an administrator should never use their privileged account for everyday tasks (email, browser, Teams). A separate "admin" account is used exclusively for administrative tasks, from a dedicated, secured workstation. Mixing roles dramatically increases the attack surface.
Hardening Active Directory
Active Directory remains the primary target for attackers — it controls access to virtually all organizational resources. Securing it requires a systematic, data-driven approach rather than one based on intuition.
BloodHound/SharpHound — free tools for graphically mapping attack paths in Active Directory. SharpHound collects data on relationships between AD objects (users, groups, computers, GPOs), while BloodHound visualises the paths leading to Domain Admin. Run the analysis in a test environment or outside working hours — BloodHound will show you how an attacker could escalate privileges from a regular user to Domain Admin, often in a few steps. Identified paths should be eliminated systematically.
Protected Users Security Group — adding privileged accounts to this group automatically disables dangerous authentication mechanisms: DES, RC4, NTLM, Kerberos delegation. Accounts in Protected Users must authenticate via Kerberos AES, eliminating classic Pass-the-Hash and Pass-the-Ticket attacks. Add all domain administrators and high-privilege service accounts to this group.
Disabling NTLM — NTLM is a legacy authentication protocol vulnerable to relay attacks and Pass-the-Hash. The goal is to disable it entirely (Network Security: Restrict NTLM), but first audit which applications use it (Event ID 4624 with NTLM logon type). Phased approach: audit first, then block NTLM to domain controllers, then between servers. Enforce LDAP signing and channel binding to prevent LDAP relay attacks.
Regular AD audits: review AdminSDHolder (accounts protected by SDProp), nested group memberships, service account SPNs (vulnerable to Kerberoasting). Ping Castle (free) generates an Active Directory health score and identifies specific issues to fix. We recommend running it quarterly and tracking score improvement over time.
Monitoring and Detection
Hardening is necessary but not sufficient — monitoring that detects attacks bypassing defences is also essential. Microsoft environments provide powerful tools, often already paid for within M365 licences.
Microsoft Entra ID Protection automatically assesses the risk of each sign-in (sign-in risk) and each user (user risk) based on signals from billions of accounts in the Microsoft ecosystem. Policies can be configured to automatically block or enforce MFA when suspicious activity is detected — such as sign-ins from anonymous IPs, impossible travel, or compromised devices.
Microsoft Defender for Identity (MDI) is a sensor installed on domain controllers that analyses Kerberos, NTLM, and LDAP traffic in real time. It detects attacks such as Pass-the-Hash, Pass-the-Ticket, Kerberoasting, DCSync, Golden Ticket, and AD reconnaissance. MDI is particularly valuable because it monitors the on-premises environment, where cloud-native tools cannot reach.
SIEM alerts — regardless of the SIEM platform, key identity correlation rules include: privileged account logons outside standard hours, membership changes in privileged groups (Domain Admins, Enterprise Admins), GPO modifications, creation of new administrative accounts, and mass account lockouts. Each of these events should generate an alert requiring administrator review.
Deploying the full identity monitoring stack — Entra ID Protection, MDI, and SIEM — creates a detection layer that significantly reduces attack dwell time. This directly translates to lower operational and financial losses in the event of an incident.
How ExColo Can Help
ExColo specialises in identity security in Microsoft environments — from Active Directory audits through PAM and Zero Trust implementation to building monitoring processes. We work directly with IT administrators, delivering concrete technical solutions rather than generic recommendations.
Our Identity Security services include: AD security assessment using Ping Castle and BloodHound, MFA and Conditional Access deployment, PAM design and implementation, Entra ID and hybrid environment hardening, and Microsoft Defender for Identity configuration.
Contact us to discuss the state of identity security in your organization: ExColo contact form.
