The identity illusion: why your MFA and SSO setup might not be enough
In a cloud-first workplace, most organisations take pride in ticking off the essentials: Single Sign-On, Multi-Factor Authentication, user access mostly managed. Here is the hard truth: these controls do not guarantee security, they reduce the attack surface. Without deeper visibility, governance and alignment, SSO and MFA can create a dangerous illusion of safety.
Identity is the new perimeter
The firewall is no longer the boundary. In the Microsoft 365 ecosystem, identity defines who has access, how they get it, and what they can do once inside. Yet many identity environments quietly carry: over-assigned roles (too many Global Admins), unreviewed guest access never deprovisioned, legacy authentication protocols still enabled (IMAP, POP3), exclusions and exceptions baked into Conditional Access, and privileged accounts with no lifecycle management. None of these are caught by an "MFA is on" checkbox.
MFA is a control, not a cure
MFA is essential but not absolute. The pitfalls we routinely find: MFA not enforced for all user types (guests, service accounts, execs with exceptions); users with weak fallback methods; unmonitored break-glass accounts that bypass MFA entirely; and legacy-auth applications that allow sign-ins without MFA. MFA needs enforcement logic, monitoring and review to actually work.
SSO amplifies access, and risk
SSO is prized for convenience, rightly. But without governance it enables third-party app sprawl that bypasses review, lets external users carry excessive permissions, and masks untracked access to sensitive data through unmonitored apps. SSO amplifies access, which means it amplifies risk unless it is paired with Conditional Access, Identity Protection and delegated administration.
What the audits reveal
Our identity reviews routinely surface hundreds of dormant guest accounts still active in Entra ID, privileged accounts that have not logged in for months yet still hold admin rights, no consistent Conditional Access logic (or dozens of overlapping, contradictory rules), and break-glass accounts that are never tested or monitored. Most critically: no single person owns identity governance across the business.
You do not need another tool, you need alignment
The most secure environments know who their users are (and who should not be there), use policy rather than guesswork to determine access, regularly review access, exceptions and account lifecycle, and benchmark their configuration against Zero Trust principles. All of it starts with visibility, and that is where most teams fall short. Before you assume you are covered, ask: do you know what your Conditional Access logic actually enforces? Are guest accounts managed with lifecycle policies? Is admin delegation scoped and tracked? Can you prove enforcement, or just assume it?
This is exactly what our Identity & Access Management work governs, with Microsoft Entra PIM and Conditional Access, aligned to Zero Trust. A cyber health check uncovers what your dashboards do not.