Windows News
Huntress has released alarming findings from the initial deployment of its new Identity Security Posture Management (ISPM) tool, revealing pervasive misconfigurations across Microsoft 365 environments. After analyzing hundreds of tenants, the security company discovered that a staggering number of organizations fail to enforce even basic identity protections—leaving their users, data, and systems dangerously exposed.
The Scan That Lit the Fuse
In early 2025, Huntress quietly rolled out ISPM, a capability baked into its managed security platform that continuously assesses Microsoft 365 identity configurations. The goal: give defenders a clear, ongoing view of their identity risk surface. But what researchers found in the first few weeks shocked even Huntress’s seasoned incident response team. Across the nearly 400 tenants scanned, almost every one exhibited at least one critical gap that attackers routinely exploit in real-world breaches.
The tool checks over 50 discrete settings, from multi-factor authentication (MFA) coverage to administrative role hygiene, password policies, legacy protocol usage, and guest user management. It then maps each finding to the MITRE ATT&CK framework, helping organizations prioritize fixes based on real adversary behavior. The early data set—while still a snapshot—paints a grim picture of identity security hygiene.
MFA: The Gatekeeper That’s Often Missing
No finding was more glaring than the state of MFA enforcement. Despite Microsoft’s repeated urgings and well-known attack patterns that rely on credential stuffing, phishing, and password spray, Huntress found that a mere 62% of users across all scanned tenants had MFA enabled. Even worse, only 58% of accounts with an administrative role—the keys to the kingdom—were protected by any second factor.
An even more concerning detail emerged when Huntress looked at the type of MFA in place. Among those who did have MFA enabled, a significant portion still relied on SMS-based codes or voice calls, methods that are susceptible to SIM-swapping and social engineering. Phishing-resistant MFA—such as FIDO2 security keys or certificate-based authentication—was practically nonexistent outside of a handful of heavily regulated firms.
The practical impact is immediate. “If an attacker can phish a single privileged user whose account isn’t MFA-protected, they have a direct path to global admin in under an hour,” said Jamie Levy, Director of Adversary Operations at Huntress. “We see it in incident response engagements all the time. Tenants without enforced MFA are a ticking time bomb.”
Admin Bloat and the Principle of Least (Forgotten) Privilege
The ISPM data revealed a pervasive habit of over-assigning administrative roles. On average, each tenant had 7.3 Global Administrators, though some had as many as 55. Microsoft’s own best practice is to maintain no more than five Global Admins, and only for emergency break-glass accounts. Instead, organizations are handing out the highest privilege like candy, often to everyday user accounts that also run email, browse the web, and open attachments.
Compounding the problem, less than 10% of tenants had activated Privileged Identity Management (PIM) to enforce just-in-time (JIT) access. Without JIT, Global Admin credentials sit permanently active, ready to be stolen by any InfoStealer malware that slips past an endpoint defense. Huntress found that many of these high-privilege accounts also lacked the Azure AD Premium P2 license required for PIM—a classic “penny-wise, pound-foolish” oversight.
Even when roles were technically separated, the checks were inconsistent. For example, Huntress identified multiple tenants where the same account held Global Admin and SharePoint Administrator, or Exchange Administrator and User Administrator—role combos that give an attacker wide lateral movement. In one now-famous incident from 2023, threat actors used a single compromised Helpdesk Administrator to reset the MFA of a Global Admin, then took over the entire tenant. That attack path remains wide open in many of the organizations Huntress assessed.
Passwords: The Forgotten Frontier
Microsoft 365 offers a suite of password protection features, from banned password lists to Azure AD Password Protection for on-premises Active Directory. Yet Huntress found dismal adoption. Only about a third of tenants had cloud-only password protection enabled, and just 15% enforced it on-premises. That means most organizations were allowing users to pick passwords like “Summer2025!” or “CompanyName1”—passwords that withstand zero brute-force attempts.
The ISPM tool also checks for breached password detection, a feature that compares user passwords against a database of known compromised credentials. Microsoft introduced this as a public preview in 2024, then made it generally available with additional licensing. But Huntress saw almost no uptake. “It’s a feature that would literally stop replay attacks in their tracks,” Levy noted. “But people don’t know about it, or they balk at the extra cost. Meanwhile, attackers are buying billions of leaked credentials off the dark web for pennies.”
Password hash synchronization (PHS) was present in most hybrid setups, which is good for enabling leaked credential detection. But the complementary Seamless Single Sign-On (SSO) was often misconfigured in ways that exposed a legacy Kerberos decryption key, leading to potential golden ticket attacks. Huntress’s tool flagged this across several organizations, proving that even “secure by default” configurations can drift badly over time.
Legacy Protocols: The Zombie Attack Surface
Despite Microsoft beginning to disable Basic Authentication for Exchange Online in October 2022, Huntress found that 37% of tenants still had at least one legacy protocol enabled. POP3, IMAP4, and SMTP AUTH were the usual suspects, often left active “just in case” for some forgotten line-of-business application or multifunction printer. The risk is well-documented: protocols that don’t support modern authentication bypass MFA entirely, giving adversaries a clean login prompt to brute-force.
Even more worrying, Huntress found tenants with WS-Trust endpoints enabled—a relic from the SharePoint 2010 era that can be abused in golden SAML attacks to forge tokens. In 2020, a Nobelium espionage campaign exploited exactly this to access Microsoft 365 mailboxes by forging SAML assertions. Yet four years later, the endpoints remain active in a surprising number of directories.
Guest Users: The Uninvited Guests
Collaboration between organizations is a core Microsoft 365 value proposition, but guest accounts are often left ungoverned. Huntress discovered that, on average, each tenant contained 124 active guest users. In many cases, these were contractors or partners who hadn’t needed access in years. Almost none of the tenants had configured an access review process for guests, and only a handful used Entra ID Identity Governance to automate lifecycle management.
The blast radius of a compromised guest account is significant—especially when that guest has been granted directory reading privileges or added to a Teams channel with sensitive files. Huntress observed one tenant where a former vendor with External User role still had access to an HR SharePoint site five years after the engagement ended.
Automation to the Rescue: The ISPM Difference
The sheer volume of misconfigurations illustrates why manual, periodic audits are no longer sufficient. Identity posture changes constantly: new accounts are created, licenses change, roles shift, and users bypass policy. Huntress designed its ISPM to monitor continuously and alert defenders within minutes of a regression. The platform also provides a “fix center” with step-by-step remediation instructions, which teams can execute manually or automate via Microsoft Graph API.
Matt Kiely, Senior Product Manager at Huntress, emphasized that the goal is to make identity security “operational” for the small and midsize businesses that make up the bulk of their customer base. “These companies don’t have dedicated identity teams,” Kiely said. “They need a tool that watches their M365 tenant like a hawk and tells them, in plain language, what to do when something breaks. That’s what we’ve built.”
The ISPM assessment is now available to all Huntress partners, and the company plans to release a public benchmark report later this year once more data is collected. That report will likely paint an even starker picture.
Microsoft’s Own Tools: Overlap and Gaps
To be fair, Microsoft already provides several native posture assessment tools: Entra ID Secure Score, Identity Protection risk detections, and the more recent Microsoft 365 Lighthouse for managed service providers. But Huntress argues these tools require significant interpretation and lack the practitioner-focused context of ISPM. For instance, Secure Score might tell you that MFA isn’t enforced for 40% of users, but it won’t map that to a specific adversary technique or highlight that the unprotected accounts include a service principal with Directory.ReadWrite.All permissions.
Moreover, Secure Score recommendations often come with a “bark” but no “bite”—they suggest turning on a control without explaining the operational impact or sequencing. Huntress intends ISPM to fill that gap for overworked IT admins who just want to know “what do I fix first?”
Real-World Triage: What to Fix Right Now
Based on the findings, Huntress recommends an immediate, four-step triage for any Microsoft 365 tenant:
- Enforce phishing-resistant MFA for all users, starting with administrators. At a minimum, use the Microsoft Authenticator app with number matching and geolocation. Block SMS and voice calls as MFA methods unless absolutely necessary.
- Identify and remove unnecessary Global Administrators. Move everyday admin tasks to lesser-privileged roles like Exchange Administrator or Intune Administrator. Enable Privileged Identity Management to elevate only when needed.
- Enable Azure AD Password Protection, both cloud and on-premises. Turn on breached password detection for cloud-only users. Start with audit mode to avoid lockouts, then enforce.
- Block all legacy authentication protocols. Use Conditional Access policies to block legacy auth across the board, then examine sign-in logs for any legitimate usage that needs a modern alternative.
For organizations that already have these basics in place, Huntress suggests moving to the next tier: implementing continuous access evaluation, disabling Powershell for non-admins, and enabling Microsoft Defender for Identity to detect on-premises identity threats.
The Broader Picture: Identity Is the Perimeter
Forrester Research recently estimated that 80% of data breaches involve privileged credentials. Huntress’s data validates that, showing that the attack surface is wider than many realize—not because Microsoft 365 lacks controls, but because the controls are too complex, too scattered, or too easy to misconfigure. The average tenant contains over 200 configurable settings related to identity, and they change with every Microsoft update.
Identity Security Posture Management, as a product category, is attracting venture capital and analyst mindshare. Microsoft itself has signaled deeper investment with the preview of “Entra Permissions Management” and the continued expansion of Entra ID Governance. But for the small to midsize enterprises that Huntress serves, the need isn’t for another dashboard—it’s for a co-pilot that knows the exact playbook attackers are running.
Looking Ahead: From Posture to Protection
Huntress plans to integrate ISPM findings directly into its 24/7 Security Operations Center (SOC), allowing analysts to correlate identity misconfigurations with live threat activity. For example, if a user with an overprivileged role triggers a suspicious login from an unusual location, the SOC could immediately call the customer to lock the account and correct the role. That level of closed-loop remediation is still rare, but it’s where the industry is heading.
The early lessons are clear: Microsoft 365 remains a fortress with many unlocked doors. Until organizations lock those doors—starting with MFA, admin cleanup, and password hygiene—attackers will keep walking through them.