In short

Identity is where Zero Trust starts and where Secure Score gives you the most points. In Microsoft 365 you secure it with Entra ID: enforce MFA for everyone through Conditional Access, block legacy authentication, move privileged accounts to phishing-resistant sign-in and Privileged Identity Management, and let Identity Protection act on risky sign-ins. Get identity right and every other pillar has something solid to stand on.

Why Identity Is the First Pillar

If an attacker owns a valid identity, every control downstream has to compensate for it. That is why identity is the first pillar of Zero Trust for Microsoft 365, and it is no accident that the Identity category holds the highest-impact actions in Microsoft Secure Score. Turn on multi-factor authentication for all users and your score jumps more than almost anything else you can do in an afternoon.

Identity is also the pillar that decides everything else. Conditional Access is the gate; device health, app, and data controls are signals and consequences that hang off it. So this is where you start — not with a firewall, not with a new tool, but with who is allowed in and under what conditions.

What Secure Score Measures Here

The Identity improvement actions in Secure Score are a useful checklist because they map to real attacker behaviour. The ones worth chasing first:

  • Require MFA for all users and for administrators — separate actions; do both.
  • Block legacy authentication — IMAP, POP3, and SMTP AUTH cannot enforce MFA and are the favourite entry point for password spraying.
  • Ensure all users can complete MFA registration and enable combined security information registration.
  • Enable a user-risk and sign-in-risk policy (Identity Protection).
  • Do not allow users to grant consent to unmanaged apps — this bleeds into the Apps pillar, but it starts at identity.

The Controls That Matter

Multi-factor authentication. The single highest-value control in Microsoft 365. Enforce it through Conditional Access rather than per-user settings so it applies by policy and reports cleanly. Start with administrators, then all users, within the same week.

Conditional Access. This is the policy engine that makes Zero Trust real. It weighs signals — who, which device, what location, what risk level — and enforces a decision: allow, block, require MFA, or require a compliant device. Everything else in this series feeds signals into it. For the deeper picture of what the platform costs, see the Entra ID pricing guide.

Phishing-resistant, passwordless sign-in. Ordinary MFA stops password reuse, but not modern adversary-in-the-middle phishing that steals the session token. Windows Hello for Business, FIDO2 keys, and passkeys remove the password as an attack surface entirely. Roll them out to admins and executives first.

Privileged Identity Management (PIM). Standing Global Admin rights are a liability. PIM makes privileged roles just-in-time: a user activates the role for a bounded window, with approval, MFA, and a justification. Nothing is permanently elevated.

Identity Protection. With Entra ID P2, machine-learning risk detection classifies sign-ins and users as low, medium, or high risk and feeds that straight into Conditional Access — require MFA at medium risk, block at high.

How to Roll It Out

Day one: Conditional Access requiring MFA for all users; block legacy authentication. These two changes remove the most common attack path and cost nothing but coordination.

Weeks two to four: Named-location policies, combined registration, and MFA for guests. Begin the passwordless rollout with IT and leadership.

Month two onward: Turn on Identity Protection risk policies. Move every administrative role into PIM. Expand phishing-resistant sign-in company-wide.

Common Mistakes

Treating MFA as the finish line. It is step one. Token theft and MFA-fatigue attacks walk straight past basic MFA; phishing-resistant methods and token protection are the answer.

Leaving standing admin rights. A permanently-elevated Global Admin is one phish away from a tenant takeover. PIM is not optional at any real size.

Skipping legacy-auth blocking “because something might break.” Run the sign-in logs in report-only first, find the three service accounts still using it, fix them, then enforce.

Glossary

Entra ID
Microsoft's cloud identity and access management service (formerly Azure AD) — the identity provider behind Microsoft 365.
Conditional Access
The Entra ID policy engine that enforces an access decision (allow, block, require MFA, require compliant device) from real-time signals.
Phishing-resistant MFA
Authentication that cannot be relayed by an adversary-in-the-middle — FIDO2 security keys, Windows Hello for Business, and passkeys.
PIM (Privileged Identity Management)
Just-in-time activation of privileged roles with approval, MFA, and justification, so no role is permanently elevated.
Identity Protection
Entra ID P2 machine-learning risk detection for users and sign-ins that feeds risk signals into Conditional Access.
Secure Score
Microsoft's measurement of your security posture, grouped into Identity, Devices, Apps, and Data improvement actions.

Frequently Asked Questions

Which identity control should I enable first in Microsoft 365?

Enforce multi-factor authentication for all users through a Conditional Access policy, and block legacy authentication. These two changes remove the most common attack path — password-based sign-ins that bypass MFA — and cost nothing but a little coordination.

Does securing identity require Microsoft 365 E5?

No. MFA and Conditional Access come with Entra ID P1, which is included in Microsoft 365 Business Premium and E3. E5 (Entra ID P2) adds risk-based Identity Protection and Privileged Identity Management, but the foundation is available well below E5.

Is MFA enough to secure identity?

No. MFA stops password reuse but not token theft or adversary-in-the-middle phishing. Add phishing-resistant methods (FIDO2, Windows Hello), Conditional Access, and Privileged Identity Management to cover the gaps.