Cybersecurity firm Compass Security has released a report highlighting common configuration failures in how enterprises manage Microsoft Entra ID privileged identities. While PIM is designed to limit access through 'just-in-time' mechanisms, the report finds that poor configuration often renders these protections ineffective, providing a false sense of security.
Christian Feuchter, a security expert at Compass Security, noted in the report that even organizations with Entra ID P2 licenses often fail to utilize PIM features entirely. This leads to critical roles, such as Global Administrator, being assigned permanently. If an attacker compromises such an account—for instance, through phishing—they gain immediate, unrestricted control over the entire tenant.
Failures in Privilege Protection
Beyond neglecting PIM, many organizations adopt a 'selective protection' strategy. The report reveals that companies frequently restrict only a few well-known roles, such as Global Administrator, while overlooking other accounts that hold significant privileges. This fragmented approach leaves critical gaps that attackers can easily exploit.
Furthermore, weak authentication methods remain a major concern. Many enterprises still rely solely on built-in Azure Multi-Factor Authentication (MFA). Experts warn that if an attacker steals an already-authenticated MFA token, they may be able to activate privileged roles without undergoing secondary verification. Even more concerning is the risk of session hijacking: if a user’s refresh token is stolen after they have activated a role, an attacker can use that token to maintain persistent, elevated access.
The report also emphasizes the dangers of 'permanent active assignments.' When organizations allow users to hold high-level privileges indefinitely, the window of exposure for privileged access is left wide open. Additionally, the lack of activation notifications means that security teams often remain unaware of suspicious privilege changes until it is too late.
Compass Security recommends that enterprises ensure all high-privilege roles are brought under PIM protection and consider more advanced strategies, such as Authentication Context, to bolster security. Relying on basic PIM settings is no longer sufficient to defend against modern identity-based attacks.