Let me be clear: most SMB breaches don’t happen because hackers are especially clever.
They happen because:
- MFA was “planned.”
- Admin access was never reviewed
- Old accounts were never disabled
- And identity security was treated as optional
I see this every single week in production tenants. So rather than focusing on theory, frameworks, or vendor presentations, here’s a practical identity security checklist for SMBs, based on what I actually fix after incidents. If you’re using Microsoft 365 and Microsoft Entra ID, this applies directly to you.
1. Inventory Your Identities (Most SMBs Skip This)
If you don’t know who can sign in, you don’t have real security. You’re just hoping for the best. Check for:
- Former employees are still enabled
- Shared mailboxes with passwords
- Vendor or contractor accounts
- Test accounts created “temporarily”
Rule:
If an account can sign in, it must have:
- A real owner
- A real business reason
- A review date
If there’s no owner, disable the account.
2. Eliminate Permanent Admin Access
This is one of the biggest SMB mistakes I see. Global Admin ≠ daily admin
Yet many SMBs run like this:
- IT user = Global Admin
- Office manager = Global Admin
- External MSP = Global Admin forever
That isn’t convenience. It’s a serious risk.
What to do instead
- Zero permanent admin roles for daily accounts
- Use role-based admin access
- Elevate only when required
If just one admin account is compromised, you could lose access to your entire system.
3. MFA Is Non-Negotiable (Yes, for Everyone)
If MFA is optional in your tenant, attackers already know. I still see:
- MFA is enabled “for admins only.”
- SMS-based MFA everywhere
- MFA excluded for “legacy apps.”
Baseline expectation
- MFA for all users
- Strong methods (Authenticator app, FIDO2)
- No MFA exclusions unless absolutely justified
Passwords alone are no longer enough. Attackers don’t just try to guess passwords; they log in using stolen credentials. (Bai et al., 2020)
4. Conditional Access: Start Small, Start Now
Many SMBs think Conditional Access is “too advanced. It’s not. Even one or two basic policies will block the majority of attacks I investigate (Nguyen, 2023).
Start with:
- Require MFA for all users
- Block legacy authentication
- Restrict admin access by location or device
Truth:
Security Defaults are just a starting point. They aren’t a complete strategy (The Danger of Defaults: Securing Your Microsoft 365 Setup, 2025).
5. Lock Down Legacy Authentication
If legacy authentication is enabled, attackers don’t even need MFA (Unit, 2025)MFA. They just bypass it.
This is how:
- Password spray attacks succeed
- Old protocols get abused
- Logs look “normal” until it’s too late
Action
- Identify legacy sign-ins
- Disable legacy auth completely
- Fix the few apps still relying on it
Taking this one step will remove a large area that attackers could exploit.
6. Protect Your Break-Glass Accounts (But Don’t Abuse Them)
Yes, you need emergency access accounts. No, they should not be:
- Used daily
- Shared
- Excluded from all security without controls
Break-glass best practices
- Separate credentials
- Very strong passwords
- Monitored sign-ins
- Stored securely, offline
Think of them as insurance, not shortcuts.
7. Monitor Sign-Ins (You Don’t Need a SOC)
You don’t need a 24/7 SOC to catch basic identity attacks. You do need to look.
At least weekly:
- Failed sign-in spikes
- Impossible travel
- Admin role changes
- MFA failures
If no one is looking, attackers know.
8. Review Access Regularly (Not Once a Year)
Identity security isn’t “set and forget. People change roles.
Vendors come and go.
Admins accumulate permissions.
Minimum cadence
- Quarterly admin review
- User access review after role changes
- Immediate review after incidents
Access creep often goes unnoticed until it causes a problem.(Schueler, 2025)
Final Thought (From Real Incidents)
Every breach I investigate has one thing in common: The warning signs were there, but no one noticed them. Identity is now your primary security boundary, especially for SMBs without massive security teams. If you fix identity:
- Ransomware impact drops
- Phishing success plummets
- Incident recovery becomes survivable
If you ignore it:
- One login is all it takes
If you found this checklist helpful, I share more real-world Microsoft identity and security lessons at ITBlogs.ca, all based on what I see in actual production environments, not just theory.
Security isn’t about tools.
It’s about discipline.
Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.
References
Bai, W., Blocki, J. & Harsha, B. (2020). Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking. arXiv:2009.10060. https://doi.org/10.48550/arXiv.2009.10060
Nguyen, K. (2023). Basic cyber hygiene prevents 98% of attacks. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoft-security-blog/basic-cyber-hygiene-prevents-98-of-attacks/3926856
(2025). The Danger of Defaults: Securing Your Microsoft 365 Setup. Affinity Smart. https://affinitysmart.com/the-danger-of-defaults-avoiding-common-microsoft-365-security-missteps/
Unit, G. R. (May 6, 2025). Guardz Uncovers Sophisticated Campaign Exploiting Legacy Authentication in Microsoft Entra ID. PR Newswire. https://www.prnewswire.com/news-releases/guardz-uncovers-sophisticated-campaign-exploiting-legacy-authentication-in-microsoft-entra-id-302448704.html
Schueler, C. (August 18, 2025). Privilege Creep: The Overlooked Threat To Cybersecurity. Forbes. https://www.forbes.com/councils/forbestechcouncil/2025/08/19/privilege-creep-the-overlooked-threat-to-cybersecurity/