As digital environments grow in complexity, identity has become one of the most targeted and vulnerable entry points. Ensuring secure access is no longer optional, it’s essential for protecting systems, data, and operations. 

Organizations across sectors are facing a similar challenge: how to implement robust access controls that evolve with emerging threats, without compromising usability. The urgency is heightened for those operating in critical infrastructure or under regulatory obligations, where access mismanagement can result in serious operational and reputational consequences. 

 Identity is the new frontline

High secure (and “gap-free”) Conditional Access designs and implementations, have always been a primary focus in companies.  

But why this focus on conditional access? It is the centrepiece security control that ensures that all other security controls are linked together in a risk-based access control strategy: 

• Ensure that users and other accounts use the best available authentication methods orreduce the risk of identity-based attacks, such as MFA man-in-the-middle. 

• Impose use of secure, managed devices to minimize risk of authentication-token theft, but also of data 

• Integrate with real-time identity and device risk assessments 

• Adapt security controls dynamically based on application risks: impose more strict security measures for high-risk apps, more relaxed for low-risk apps 

Why static conditional access is not enough 

Striving to continually optimize the Microsoft cloud platform while also continually improving security and protecting against configuration drift is the biggest challenge. 

And this is what we also try to achieve for our identity and access management projects. 

Recent developments show that traditional protections are no longer sufficient. While MFA (Multi-Factor Authentication) methods such as push notifications or OTPs have been effective for years, attackers are adapting quickly. Sophisticated phishing techniques now specifically target these MFA methods, including so-called “phishing-resistant” ones. 

Even deeper, attackers are starting to exploit protocol-level weaknesses in standards like OAuth and OpenID Connect — where the lack of proof-of-possession allows authentication tokens to be intercepted and reused. This means organizations can no longer rely on static access configurations or assume that once-strong measures will remain effective. 

Keeping updated of the latest technological developments in security to stay protected against new types of attacks: 

• Microsoft Authenticator-based MFA (OTP or push notifications) have been sufficient to keep attackers at bay for a long time, until new attack technologies (and even “services”) became available to allow attackers to move from standard phishing to “MFA-phishing”, thereby smoothly navigating around the protections you put in place 

• Device-code phishing is the next step for attackers that allow them to circumvent any type of MFA method, even so-called phishing-resistant multifactor authentication. 

• Meanwhile attackers start focussing increasingly on the inherent weaknesses of the underlying protocols (OIdC, OAuth, …), such as the lack of a “proof-of-possession” concept for authentication (to ensure that a user has a high-secure “proof” that he is owner of the authentication token, so it cannot be intercepted and re-used anymore) 

With Managed Identify and access management solutions (MIAM), you can be assured of continuous updates to your security controls, monitoring where you are in your security journey and have a trusted partner to fall back on when you want to set your next steps to improve your security posture.  

The benefits of IAM 

Specifically for conditional access, there is a new service , which is designed so that all users can be quickly included in the managed model and a specific path per persona can be identified, to gradually move to a higher level of security, at the pace of everyone’s organization: 

• Flexible, persona-based security model, that adapts the security measures to the risk of specific groups in your organization, such as standard office users, CxO users, IT-personnel with high-privileged access, frontline-workers, but also non-human accounts (technical/service accounts) and Service Principals 

• Access is not only controlled by authentication strength, but also on other factors such as location, cloud-apps, device-security, location, and more 

• Highly flexible exception management, to ensure you can keep your security model at a high secure level, while making point-exception for “difficult” or low-risk applications, without affecting the rest of your environment 

This service is built on a highly scalable, one-size-fits-all architecture with support for numerous use-cases, that allows to adopt the implementation quickly to the needs of each organization, whether it is a small or enterprise business. 

Key benefits include: 

• New security threats against identities are continuously validated and our model is adapted to counter new types of attacks 

• Our fine-grained security controls allow to narrowly support your use-cases, minimizing the risk based on least-privilege principles  

• new features added to the Microsoft Entra-platform are incorporated into our architecture, so we can better protect against new threats and ensure that your protection stays up-to-date 

• Provide you a Conditional-Access monitoring dashboard, that gives you a view of your risk across your organization 

• Every update to our Conditional Access model is thoroughly tested and the deployment of updates to our customers is protected with state-of-the-art security measures to minimize the risk of supply-chain attacks 

In addition to all of this, we plan following extensions in the near future: 

• Configuration backup of your M365 tenant’s security config 

• Monitoring & mitigation of configuration drift  

• Integration with our Watch monitoring service, so changes to critical configuration settings will trigger immediately our incident-response process 

• Managed solution for privileged access management for Microsoft 365 and other Entra-ID-connected cloud-services and applications. 

 

Adaptive access as a strategic necessity 

Identity has become the first,  and often final, frontier in cybersecurity. A strong Conditional Access framework is no longer a bonus, but a baseline requirement. And static models simply can’t keep up with a dynamic threat landscape. 

Organizations that embrace a managed, adaptive IAM approach gain more than just stronger security. They gain flexibility, future-readiness, and peace of mind. It’s a step toward cybersecurity that evolves as fast as the threats, and as fast as your business. 

 

If you want to learn more about this new service, do not hesitate to contact us.