News

Microsoft Issues 2025 Identity Security Best Practices

• By Chris Paoli
• January 29, 2025

Microsoft has outlined key identity management strategies to help enterprises safeguard their data in 2025.

The key, according to the company, is to adopt "proactive defensive measures" to protect against growing AI-based attacks and widespread phishing campaigns. After consulting with its customers, Microsoft has identified three areas in which enterprises can harden their defenses.

Start Secure, Stay Secure and Prepare for New Cyberthreats
Organizations are encouraged to adopt the "secure by default" practice by enforcing multifactor authentication (MFA) and mitigate risks associated with shadow IT and non-human identities.

"Reactive security isn't enough to safeguard your environment," said Microsoft's Joy Chik, president of Identity & Network Access at Microsoft. "Our guidance for 2025 is to always start at the highest level of security (Secure by Default), then dial back as needed for compatibility or other reasons. It’s also critical to protect all identities: employees, contractors, partners, customers, and, most importantly, machine, service, and AI identities."

Getting a handle on shadow IT is also important. Microsoft recommends that IT monitor for unauthorized apps and ensure those that are entering a network are secure by default.

To help with this, Microsoft has implemented tools like managed Conditional Access policies and phishing-resistant authentication that aim to reduce account compromises. Additionally, it's recently extended multifactor authentication requirements for more of its own services, like the Microsoft Azure and Intune portals.
Extend Zero Trust Access Controls to All Resources
Microsoft said the next consideration is to extend Zero trust principles to all resources, including legacy systems and online applications. Automation, entitlement management and lifecycle workflows can help enforce least privilege access and protect against lateral movement during potential compromises.

Microsoft recommends employing the Microsoft Entra Suite for Zero trust deployments, and tools like Microsoft Entra Private Access can be used to replace outdated VPN points of access.

Use Generative AI to Tip the Scales in Favor of Defenders
With so many new attacks implementing generative AI, it only makes sense to use the same technology to guard against it. One option is Microsoft Security Copilot, which Microsoft said help reduce the average time to address a security risk by 30.1 percent. Chik also outlined some ways in which IT can employ AI in their proactive security strategy:

• Enhance risky user investigations: Investigate identity compromises faster with AI-powered recommendations for proactive mitigation and defense. Use natural language conversations to investigate risky users and to gain insights into elevated risk levels and risky sign-ins.
• Troubleshoot sign-ins: Use natural language conversations to uncover root causes of sign-in failures, interruptions, or multifactor authentication prompts. Automate troubleshooting tasks and let AI discover actionable insights across user details, group details, sign-in logs, audit logs, and diagnostic logs.
• Mitigate app risks: Use intuitive prompts to manage and remediate application risks as well as gain detailed insights into permissions, workload identities, and cyberthreats.

Wanting to practice what it preaches, Chik outlined how the company has taken recent steps to strengthen its proactive security approach, including eliminating 730,000 outdated and noncompliant apps, along with 1.7 million unused or outdated Microsoft Azure Active Directory and Microsoft Entra ID systems from production and test environments.