Entra ID: Why identities are becoming the biggest cloud risk

In this interview, three experts from MOUNT10 explain why this assumption is dangerous – and why identity backup is becoming a central component of modern IT security.

Why Entra ID suddenly poses a business risk

Many companies assume that Microsoft automatically protects their identities. Why is this a dangerous misconception?

Patrick Stutz:
Microsoft does not concern itself with data security – Microsoft concerns itself with the availability of its services. This is also clearly stated in the terms and conditions. Source: https://www.microsoft.com/de-ch/servicesagreement/ (Verfügbarkeit der Dienste, b. «(…)Wir empfehlen, dass Sie Ihre in den Diensten gespeicherten Inhalte und Daten regelmässig sichern oder mithilfe von Drittanbieter-Apps und -Diensten speichern» )

Why is Entra ID a more attractive target today than traditional servers or databases?

Philippe Gmür:
As customers migrate to the cloud, so do the targets of attacks. Entra ID is at the heart of this: if an attacker manages to steal a customer’s identity, they have direct access to emails, Teams, SharePoint and all other applications linked to it.

What did the latest Entra ID vulnerability reveal that surprised many IT managers?

Patrick Stutz:
With relatively little effort, it was possible to bypass the authorisations on Entra ID and gain access. This critical bug was quickly fixed by Microsoft in autumn 2025, but it highlights the critical nature of Entra ID.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241

https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/ In the first half of 2025, identity-based attacks rose by 32%.

If an attacker gains control of Entra ID, what realistically happens within the first 60 minutes?

Besnik Qerimi:
Usually, not much happens in the first 60 minutes; the initial focus is on establishing a foothold. Once an attacker has gained high privileges in Entra ID, the focus shifts to permanence. The attacker creates backdoors, such as inconspicuous new admin accounts or customised permissions on existing applications, which are usually overlooked. They may manipulate the conditional access policies to ensure that they cannot be locked out themselves. In these first few hours, the company often already loses control over its own infrastructure.

The technical reality behind Entra ID – and where risks arise

Which Entra ID objects are actually not fully recoverable today if something goes wrong?

Patrick Stutz:
Conditional access policies do not have a “recycle bin” and are lost once deleted. The assignment of admin roles cannot be immediately reversed either. With a CLOUD 2 CLOUD Entra ID backup, this data can be restored immediately.

Why is Microsoft’s own recovery mechanism insufficient in many scenarios?

Patrick Stutz:
Changes are often detected late and are no longer available in Microsoft’s own board resources. CLOUD 2 CLOUD Entra ID Backup offers a long history of backup inventories. This allows granular restoration from any point in time.

What happens technically when conditional access policies or roles are manipulated?

Patrick Stutz:
Identity checks of individuals are undermined. This makes it very easy for third parties to access company data.

Which configuration changes are particularly critical because they often go unnoticed for a long time?

Patrick Stutz:
Guest accounts or the lack of monitoring of app permissions are certainly among them. But also one-time registered devices that are not actively managed and still have access to data. The complexity and range of functions of Entra ID presents a few stumbling blocks that go unnoticed.

Why is identity backup more technically complex than traditional data backup?

Patrick Stutz:
Data backup is essential, that is undisputed. However, when backing up Microsoft Entra ID, all data relating to Intune, conditional access policies, users, groups and roles is backed up and can be restored in the event of incorrect manipulation. With CLOUD 2 CLOUD Entra ID Backup, this recovery process is so user-friendly that the technical complexity in the background is irrelevant.

Why identity attacks often remain undetected for months

How often do you see attacks today that primarily target identities rather than data?

Besnik Qerimi:
We are seeing a clear shift today. Why should an attacker go to the trouble of cracking firewalls when they can simply take over an identity? Often, access to an identity (e.g. administrator) is much more valuable than direct access to a single file, because the identity is the key to all data.

What are the typical first steps an attacker takes after compromising a token?

Besnik Qerimi:
After stealing a session token, the attacker often bypasses MFA because the token tricks the system into thinking that the user is already authenticated. The typical first step is then often for the attacker to register a new MFA device. From that moment on, they have legitimate access, even if the password is changed.

Why do Entra ID attacks often remain undetected for a long time (‘silent attacks’)?

Besnik Qerimi:
Because these attacks look like normal work. A typical ransomware attack is loud – systems fail, data is encrypted, etc. An identity attack is silent.
It is extremely difficult for the SOC to distinguish between an administrator who may be performing maintenance work and an attacker. As long as ‘nothing’ obvious happens, these attackers often remain undetected in the system for months.

From a support perspective, which is more dangerous: ransomware or identity manipulation?

Besnik Qerimi:
From an operational point of view, identity manipulation is more dangerous. With ransomware, you know immediately that you have a problem and can start a disaster recovery plan.
With identity manipulation, you immediately lose trust. You don’t know which accounts are still secure. Has this policy been changed? Did this user really request access, or was it the attacker? Recovery is much more complex here because you can’t just restore yesterday’s backup without knowing whether the attacker was already in the system.

How long does it take on average for a company to realise that its identities have been compromised?

Besnik Qerimi:
Without specialised monitoring, we are often talking about weeks or months. Often, it is only noticed when it is already too late for damage control.

Are there typical misconfigurations that attackers specifically exploit?

Besnik Qerimi:
Absolutely. The classic example is gaps in conditional access. There are often exception rules (service accounts) that do not require MFA and are poorly monitored. Another huge problem is too many users with global admin rights. Old, forgotten app registrations with excessive rights are also a popular gateway that is overlooked in many audits.

Why companies underestimate identities

Why do companies invest millions in security but forget about identities?

Philippe Gmür:
Backups themselves are often underestimated, and securing identity infrastructure is even less tangible. When something happens, it’s usually too late. According to its own terms and conditions, Microsoft protects itself very well, as it is only responsible for the availability of its services and not for securing customer data and configurations.

What do customers typically say before an incident – and what do they say afterwards?

Philippe Gmür:
“Our cloud is secure, we have MFA and Microsoft takes care of the rest.” “Microsoft can’t afford to let something like that happen.” “We’re too small/unimportant for any attackers.” 

“Why didn’t anyone force us to secure Entra ID?”
The costs of downtime often exceed the costs of prevention many times over.

What misconception do you hear most often in sales conversations?

Philippe Gmür:
“Microsoft’s own recycle bin is sufficient as a backup.” Many IT managers and even managing directors confuse the short-term recovery of an accidentally deleted user with genuine disaster recovery.

When does the issue of Entra ID backup suddenly become urgent for companies?

Philippe Gmür:
Unfortunately, often when it is already too late, or when it has affected a friendly company or a competitor. Other drivers currently include external audits, insurance companies and regulations.

Which industries are currently underestimating the risk the most?

Philippe Gmür:
It is a cross-industry problem.

Why Entra ID Backup is a non-negotiable for businesses

Isn’t Entra ID Backup just another security product that sells fear?

Patrick Stutz:
Entra ID is not the first thing that comes to mind when you think about backups. However, with every new feature and function released, Entra ID is becoming more prominent. That’s why it’s important that all Entra ID data is backed up and can be restored in an emergency.

Are there scenarios in which a backup really can’t save anything?

Philippe Gmür:
You have to differentiate here; an Entra ID backup alone doesn’t do much. An Entra ID backup combined with an immutable backup of the data and a clean emergency plan has already saved many companies valuable time.

How often should companies realistically test their identities to be prepared in an emergency?

Besnik Qerimi:
Once a year is not enough. The cloud changes too quickly. From an operational point of view, I recommend quarterly. But even more important is testing the recovery. Many have backups, but have never tried to see if they can really restore a complex Entra ID configuration under stress.

What would be your most important measure if your budget only allowed for one additional security solution?

Philippe Gmür:
Invest as much as possible in backup! It is a statistical reality that protective measures will fail at some point. That is exactly when a company needs an independent backup so that it can regain control of its own systems as quickly as possible.

Future of Identity Protection

Will identities become the most important attack surface in the coming years?

Patrick Stutz:
Identities and deepfakes will play an even bigger role in the years ahead. Today, almost anyone can create deepfakes and attempt identity theft — just imagine what this will look like in five years.

How is AI changing attacks on identity systems?

Patrick Stutz:
AI is an advantage for attackers, but also for defenders. Both sides benefit from the technology. Ultimately, it doesn’t change the well-known cat-and-mouse game — it simply comes down to who is faster.

Will Identity Backup become standard in 3–5 years — like M365 Backup is today?

Besnik Qerimi:
Definitely. Identity Backup will become a standard. A few years ago, many believed M365 didn’t need backup. Today, everyone understands that this was negligent. With Entra ID, we’re seeing the same learning curve right now. In a few years, no CISO will be able to explain why the core of the infrastructure — identities — is not backed up separately.