In this episode of ThreatCast by Threatscape, host Ru Campbell sits down with Lukas Beran, Senior Cybersecurity Consultant at Microsoft DART, to uncover the most persistent and often overlooked gaps in Entra ID security. Drawing from extensive frontline experience in incident response, Lukas shares hard-earned insights on identity protection, the hidden dangers of conditional access exclusions, and how to meaningfully reduce risk.
Why MFA Alone Isn’t Enough
Despite widespread adoption of multi-factor authentication (MFA), many organisations continue to suffer breaches. Lukas reveals that even administrators sometimes lack comprehensive MFA coverage due to conditional access exclusions or misconfigured policies. In many cases, organisations believe they are protected, but attackers exploit these gaps—often whitelisted IP addresses or trusted devices—to gain privileged access.
“It’s amazing that in 2025, we’re still seeing breaches because of missing or misapplied MFA,” Ru notes. Lukas adds that conditional access configurations frequently include temporary exclusions that become permanent due to oversight. These unintentional security gaps are often gateways for threat actors.
The Underused Power of Privileged Identity Management
A significant part of risk mitigation lies in operational discipline. Lukas advocates for using Microsoft’s Privileged Identity Management (PIM) to enforce time-bound, just-in-time access.
Instead of granting indefinite privileges, organisations should leverage PIM to automate role expiration and ensure exclusions don’t linger. Lukas explains, “You can configure end dates so permissions expire automatically. But many organisations just add users to groups and forget to remove them.”
Why Device Trust Should Not Equal Policy Exceptions
Lukas and Ru delve into the risk of exempting compliant or hybrid-joined devices from MFA policies. While it might improve user experience, it introduces vulnerabilities.
Malware and compromised software can still operate on trusted devices, Lukas warns. A better solution is to deploy phishing-resistant authentication methods, such as Windows Hello for Business or Platform SSO for macOS. These options offer a seamless sign-in experience and meet MFA requirements without relying on easily bypassed exclusions.
Phishing-Resistant MFA: A Must-Have
Phishing attacks are no longer limited to stealing passwords; they increasingly target session tokens. Lukas underscores the importance of phishing-resistant MFA solutions like FIDO2 keys, Windows Hello, and device-bound passkeys in Microsoft Authenticator.
These methods block adversary-in-the-middle attacks by ensuring that authentication cannot be spoofed or intercepted. “This isn’t theoretical,” Lukas insists. “We see real incidents where attackers bypass traditional MFA through phishing. Organisations must evolve.”
Securing Break Glass Accounts the Right Way
One of the most critical, yet poorly managed areas of identity security is emergency or “break glass” accounts. Lukas offers blunt advice: most organisations either do not have them or manage them poorly.
The best practice now is to use FIDO2 keys stored in multiple, secure physical locations, and to regularly test these accounts. Ru echoes this, advising that exclusions for break glass accounts should be added before a policy is even named to avoid lockouts.
Lukas also cautions against using software vaults linked to Active Directory for storing credentials. “If AD is compromised, so is your vault. Keep break glass accounts technologically independent.”
Identity as the First Line of Defence
The discussion concludes on the foundational role of identity in cyber security. Lukas reiterates that identity is the gateway to data, applications, and infrastructure. If it’s compromised, all downstream defences are rendered ineffective.
“Encryption doesn’t help if the attacker holds the decryption keys,” he says, highlighting the cascading consequences of poor identity security.
