“The fastest way to compromise an organization is to take over an identity” - this principle is well known to cybercriminals. That’s why Microsoft Entra ID, the central gateway to modern workplace digital identity, is targeted by over 600 million attacks daily. In this article, we’ll analyze the identity threat landscape and present protection strategies.
Quick Navigation
- Scale of threats: numbers that should concern you
- Why do attackers target identities?
- Most common attack vectors on Entra ID
- Hidden threats: not just cyberattacks
- Response time: 277 days is too long
- Microsoft Entra ID protection strategies
- The role of backup in identity protection
Scale of threats: numbers that should concern you
Industry report data for 2024 paints a concerning picture:
| Statistic | Value | Source |
|---|---|---|
| Daily identity attacks | 600 million | Microsoft Digital Defense Report 2024 |
| Average breach detection time | 207 days | IBM Cost of Data Breach 2024 |
| Average containment time | 70 days | IBM Cost of Data Breach 2024 |
| Total time (detect + contain) | 277 days | IBM Security |
| Machine identity growth | 3x | Identity Security Threat Landscape 2024 |
| Cost of credential-related breach | $4.81M | IBM Security |
These numbers show that identity attacks are not a theoretical threat - they’re everyday reality for every organization using cloud services.
📚 Read the complete guide: IAM / Zero Trust: Zarządzanie tożsamością i dostępem - od podstaw do Zero Trust
Why do attackers target identities?
One identity = access to everything
Microsoft Entra ID is the central authentication hub for:
- Microsoft 365 (Exchange, SharePoint, Teams, OneDrive)
- Azure cloud services
- Thousands of SaaS applications (Salesforce, Workday, ServiceNow…)
- Internal applications via SSO
Taking over one administrator account = control over the entire organization.
Lateral movement and privilege escalation
After taking over an initial identity, attackers can:
- Explore permissions and groups
- Identify accounts with higher privileges
- Escalate privileges to Global Admin level
- Establish persistence through App Registrations
- Exfiltrate data or deploy ransomware
Difficulty of detection
Attacks using valid credentials are hard to detect:
- Login appears like normal activity
- No malware signatures to detect
- Actions within “normal” permissions
- Attack spread over time
Most common attack vectors on Entra ID
1. Password spray attacks
Attackers try a few of the most common passwords (e.g., “Summer2024!”, “Company123”) against many accounts simultaneously. They avoid lockout because each account only gets a few attempts.
How to protect:
- MFA for all users
- Azure AD Password Protection
- Conditional Access policies
- Monitoring unusual logins
2. Phishing and credential harvesting
Fake Microsoft login pages collect user credentials. Increasingly, attacks also include MFA tokens (adversary-in-the-middle).
How to protect:
- Phishing-resistant MFA (FIDO2, Windows Hello)
- Security awareness training
- Microsoft Defender for Office 365
- Conditional Access - require compliant device
3. Token theft
Attackers steal session tokens (cookies, refresh tokens) instead of passwords. A token can be used without knowing the password and without MFA.
How to protect:
- Token protection in Conditional Access
- Continuous Access Evaluation (CAE)
- Session lifetime policies
- Endpoint protection
4. Consent phishing
A malicious application asks the user for consent to access data. The user clicks “Accept” without understanding the consequences.
How to protect:
- Admin consent workflow
- Block user consent (or limit to verified publishers)
- Regular App Registrations reviews
- Consent grants monitoring
5. Attacks on App Registrations
Compromising App Registration credentials gives access without user interaction. Service Principals often have broad permissions.
How to protect:
- Managed Identities instead of secrets where possible
- Short credential lifetimes
- Certificate-based auth
- Backup App Registrations (no Recycle Bin!)
Hidden threats: not just cyberattacks
Configuration errors
The Identity Security Threat Landscape 2024 report indicates that misconfigurations are one of the main incident vectors:
- Overly broad API permissions for applications
- Legacy authentication enabled “temporarily”
- No MFA for administrative accounts
- Outdated Conditional Access policies
- Guest users with excessive permissions
Human errors
Even in the best-secured organization, mistakes happen:
- An administrator accidentally deletes a security group
- A PowerShell script with a bug modifies hundreds of accounts
- A misconfigured policy blocks access for everyone
- Deletion of an App Registration used by a critical application
Insider threats
Employees (current and former) pose a real threat:
- Data exfiltration before departure
- Sabotage by a disgruntled employee
- Abuse of administrative privileges
- Creating “backdoors” through App Registrations
Response time: 277 days is too long
According to IBM Security, the average time from compromise to detection and containment is 277 days:
- 207 days to detect (Mean Time to Identify)
- 70 days to contain (Mean Time to Contain)
Consequences of long dwell time
In 277 days, an attacker can:
- Conduct full environment reconnaissance
- Establish persistence (hidden accounts, App Registrations)
- Exfiltrate sensitive data
- Prepare a ransomware attack
- Cover their tracks
How to shorten response time?
- Monitoring and alerting - Microsoft Defender for Identity, Azure AD Identity Protection
- Change detection - immediate information about tenant changes
- Backup with comparison capability - what changed between points in time
- Incident response plan - practiced response procedures
- Forensic capabilities - ability to analyze historical logs
Microsoft Entra ID protection strategies
Layer 1: Prevention
Zero Trust for identities:
- MFA for everyone - no exceptions
- Phishing-resistant MFA for admins (FIDO2)
- Conditional Access - verify explicitly
- Least privilege - minimal permissions
- Just-in-time access (PIM)
Entra ID hardening:
- Disable legacy authentication
- Block user consent for applications
- Restrict App Registration creation
- Enforce strong passwords
- Configure password protection
Layer 2: Detection
Monitoring:
- Azure AD Identity Protection
- Microsoft Defender for Identity
- SIEM integration (sign-in logs, audit logs)
- Risky sign-ins alerts
- Impossible travel detection
Change tracking:
- Group changes monitoring
- Alerts for new App Registrations
- Permission changes tracking
- Configuration comparison
Layer 3: Response and recovery
Incident response:
- Playbooks for identity incidents
- Automated response (disable compromised account)
- Forensic investigation capabilities
- Communication plan
Recovery:
- Entra ID backup - users, groups, app registrations, logs
- Point-in-time restore
- Tested recovery procedures
- RTO/RPO for identity services
The role of backup in identity protection
Microsoft Entra ID backup is the last line of defense when prevention and detection fail.
What does Entra ID backup provide?
| Scenario | Without backup | With backup |
|---|---|---|
| Ransomware encryption | Manual rebuild, weeks | Point-in-time restore, hours |
| Deleted App Registration | Permanently lost | Granular restore |
| Mass attribute modification | Manual correction | Restore specific attributes |
| Forensic investigation | Limited to 30 days of logs | Full history |
| Compliance audit | No historical data | Long-term retention |
Veeam Backup for Microsoft Entra ID
Veeam offers two Entra ID protection models:
Veeam Data Cloud for Entra ID (SaaS):
- Backup-as-a-service
- Unlimited storage included
- Zero infrastructure management
- Accelerated change detection
Veeam Backup for Entra ID (self-managed):
- Software on your own infrastructure
- Integration with Veeam Data Platform
- Full control over storage
- Per-user licensing or as part of VDP
Summary
600 million daily attacks on Microsoft Entra ID isn’t just a statistic - it’s the reality every organization faces. Identities have become the new security perimeter, and their protection requires a multi-layered approach:
- Prevention - MFA, Conditional Access, Zero Trust
- Detection - monitoring, alerting, change tracking
- Response - incident response, forensics
- Recovery - backup, point-in-time restore
Organizations that rely solely on Microsoft’s native mechanisms (30-day Recycle Bin, basic logs) are exposed to:
- Loss of critical objects (App Registrations, Service Principals)
- Inability to conduct forensic investigations
- Non-compliance with regulations
- Long recovery time after incidents
Entra ID backup is not optional - it’s an essential security strategy element in an era where identity is the primary target for attackers.
Want to assess your organization’s identity protection level? Our experts will conduct an assessment and propose a Microsoft Entra ID protection strategy tailored to your needs. Contact us.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Backup — Backup, also known as a backup copy or safety copy, is the process of creating…
- Cloud Environment Security — Cloud environment security refers to the technologies, procedures, policies,…
- CSPM (Cloud Security Posture Management) — CSPM (Cloud Security Posture Management) is a category of cloud security tools…
Learn More
Explore related articles in our knowledge base:
- Veeam Data Cloud for Microsoft Entra ID: Comprehensive Deployment Guide
- Cloud migration costs - How to plan and optimize them
- High availability of IT systems: How to ensure business continuity and minimize downtime?
- How does NVMe technology work in data storage? Modern IT infrastructure
- Lessons from the biggest data leaks 2024/2025: how to avoid the mistakes of the biggest companies?
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
