Azure Active Directory (now rebranded as Microsoft Entra ID) sits at the heart of identity management for millions of organisations. It controls who can access what, on which devices, and under what conditions. When it is configured well, it is a powerful security control. When it is not, it becomes one of the easiest paths into an organisation for attackers.
The most significant gaps in Azure AD deployments share a common thread: they result from default settings, rapid deployment, or the complexity of managing permissions at scale. Understanding where these gaps appear is the first step to closing them.
Legacy Authentication Protocols
Legacy authentication protocols do not support modern MFA. Services like IMAP, SMTP, and POP3 bypass conditional access policies entirely. An attacker who obtains credentials through phishing or a breach can authenticate against these endpoints and gain access without needing to satisfy any MFA challenge.
Microsoft has been pushing organisations to block legacy authentication for years. Many have not done it often because a legacy application or process depends on it. But that dependency is worth resolving. Every day that legacy authentication remains enabled is a day that MFA provides less protection than your security team believes.
Overprivileged Users and Service Accounts
Global Administrator is Azure AD’s most powerful role. It should belong to a very small number of accounts used only for administrative tasks, not for day-to-day work. In practice, many organisations have accumulated Global Admins over time accounts that were elevated for a project, a migration, or an onboarding task and never reviewed.
Service accounts present a similar challenge. Applications that use service accounts often have more permissions than they need. Over-provisioned service accounts can be abused for lateral movement or privilege escalation if their credentials are compromised.
Conditional Access Policy Gaps
Conditional access is Azure AD’s most powerful security control. It lets you define the conditions under which users can access resources requiring MFA for certain applications, blocking access from risky locations, or requiring compliant devices.
The gaps emerge in the details. Policies that apply only to named applications leave others unprotected. Exclusions added for convenience that were never reviewed. Policies that apply to most users but exempt service accounts or emergency access accounts that attackers specifically target.
Azure penetration testing works through these configurations systematically, identifying gaps that create real risk. Testing the conditional access layer against realistic attack scenarios reveals whether your policies hold up under pressure.
Consent and App Permissions
Azure AD allows users to grant third-party applications access to their data. Without controls, any user can consent to an application reading their email, calendar, or files. OAuth consent phishing attacks exploit this delivering links that prompt users to consent to malicious applications that appear legitimate.
Restricting app consent permissions and requiring admin approval for new application registrations removes this vector. Regularly auditing existing consent grants will surface applications that users have connected to your tenant over time.
Securing Azure AD Effectively
Start with the Microsoft Secure Score recommendations. They are not comprehensive, but they surface the most impactful configuration gaps and give you a consistent benchmark.
Enable Privileged Identity Management (PIM) for administrative roles. PIM requires justification and approval for role elevation, creates an audit trail, and limits the window during which privileged access is active.
Working with a best penetration testing company that understands Azure identity deeply gives you a view of your configuration that goes beyond the built-in tooling. Real-world testing validates whether your controls hold up in practice.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Azure AD misconfigurations are one of the most common findings in our cloud assessments. The complexity of the platform means that even well-intentioned configurations often have gaps. A regular, structured review makes a significant difference.”
