The same thing keeps coming up in my conversations with cutomers: Entra ID. Not whether it matters (everyone knows it matters), but what you actually do after someone gets in.
There's no clean way to evict an attacker from a tenant and know you got everything. They register a rogue app, mess with conditional access, abuse a federated domain, compromise a service principal—and now you're crawling through configs trying to be sure you've found it all.
I saw this recently. A security leader walked us through their AD controls: hardened tier model, tested recovery playbooks, all of it. It was all really well done. Then we asked about Entra ID and he just paused. It wasn't in their IR plan. They'd spent years hardening AD, and meanwhile Entra ID had quietly become the thing controlling access to M365, Intune, their entire SaaS stack. Nobody had a recovery story for it.
Entra ID has quietly become your most load-bearing infrastructure. Yet most organizations lack a real recovery plan for it. From invisible Global Admin exploits to the cascading collapse of interconnected permissions, the message is clear: Microsoft provides the platform, but the blast radius is your responsibility. It’s time to stop auditing configurations and start building true identity resilience.
More than 80% of cyber attacks now leverage identity vulnerabilities. Is your enterprise data safe? Explore this Rubrik Identity Resilience demo and find out.
For Best Results, Assume the Worst
So how should you think about this? I keep coming back to the same starting point with every customer.
Assume the worst. When I talk to teams about Entra ID, I always start here: full Global Admin compromise. The attacker bypasses everything. You have no logging. Sounds paranoid, except it's not hypothetical.
Earlier this year, Dirkjan Mollema showed how you could abuse actor tokens to get Global Admin in any Entra ID tenant through Microsoft's own first-party service principals. The part that should bother you: those actions didn't show up in audit logs.
Microsoft fixed it (CVE-2025-55241), but that doesn't undo the lesson. If your detection strategy depends on log visibility, the platform has already demonstrated that visibility has holes.
This isn't an isolated concern either. The CISA Cyber Safety Review Board's report on the Summer 2023 Microsoft Online Exchange incident was blunt: the breach was preventable, the result of a "cascade of avoidable errors" and a corporate culture that "deprioritized both enterprise security investments and rigorous risk management."
Prevent Cascading Identity Collapse
The next thing that matters: Entra ID controls are all connected to each other. I've been calling it a cascading identity security collapse.
Security groups, named locations, conditional access policies, app registrations—none of these stand alone. A conditional access policy enforcing MFA might apply to a security group and trust a set of named locations. If I were attacking your environment, I wouldn't disable your conditional access policy. I'd add myself to the excluded group, or register my infrastructure as a trusted location, and I'm through. I'd change a group membership, add an IP to a trusted location, tweak a policy exclusion, and silently gut controls that looked fine five minutes ago. The attack is simple even though the architecture isn't.
And it doesn't stop at the cloud boundary. Entra ID is a SaaS application, but it's tethered to your on-prem world. Active Directory syncs identities up through Entra Connect. Intune pushes policies down to endpoints. Compromise one side and you have a path to the other. A misconfigured Entra ID tenant is a door into everything it touches.
Act Now to Protect Your Identity Infrastructure
So where does that leave you?
This isn't about fear. Most organizations spent years building real security programs around AD, endpoints, and networks. Entra ID grew faster than anyone's security investment in it, and now it's load-bearing for everything.
Treat your Entra ID tenant like your most critical infrastructure, because it is. Map the dependencies. Know what a single change can break. Have a real plan for finding and removing attacker persistence. Stop assuming Microsoft will handle it—your tenant is your problem, wherever it runs.
The teams in the best shape to deal with Entra ID compromise are the ones asking these questions now, not after a breach.
Want to learn more? Check out this bonus episode of the Identity at the Center® podcast.