Identity Security Overhaul: Enforce Phishing-Resistant MFA, Deploy SSO, and Clean Up Your IAM This Week

Why Identity Is Your Weakest Link

Credential-based attacks remain the leading initial access vector for Australian SMBs. The ACSC's annual threat report consistently identifies phishing and stolen credentials as top entry points. The problem isn't that businesses lack tools — it's that identity hygiene is treated as a one-time setup rather than an ongoing discipline. This post covers what you can actually ship this week, not a five-year roadmap.

1. Enforce Phishing-Resistant MFA Immediately

SMS-based MFA is not phishing-resistant. Attackers intercept codes via SIM swapping and real-time phishing proxies. NIST SP 800-63-3 explicitly deprecates SMS and voice OTPs for high-assurance authentication. The ASD Essential Eight MFA control (specifically MFA for all remote access and privileged accounts) requires authentication that resists phishing — meaning hardware keys or device-bound passkeys.

What to do this week:

• Microsoft Entra ID: Enable Conditional Access policies requiring phishing-resistant MFA for all users. Navigate to Entra admin centre → Security → Conditional Access → Create policy targeting "All users," set authentication strength to "Phishing-resistant MFA." This enforces FIDO2 security keys, Windows Hello, or Temporary Access Pass. Cost: Entra ID P1 at $1.50/user/month added to Microsoft 365 Business Premium ($8.50/user/month), totalling ~$10/user/month with full identity governance included.
• YubiKey 5 Series: Distribute YubiKey 5C NFC ($55 AUD each via Yubico AU). Register in Entra ID as a FIDO2 security key. Users tap to authenticate — no codes, no intercepts. For a 20-person team: $1,100 one-time + $200/month for Entra ID P1 add-on.
• Self-hosted alternative: Authentik (open-source IdP) supports WebAuthn/FIDO2 natively. Deploy via Docker on a $10/month VPS. No per-user licensing. Pair with YubiKeys for a fully self-hosted, zero-vendor-lock MFA stack.

Run a baseline audit first. Export your Entra ID sign-in logs (last 30 days) and identify every account using SMS or authenticator app MFA. These are your conversion targets.

2. Deploy Single Sign-On to Eliminate Password Sprawl

Every additional separate login is another credential that can be phished, reused, or forgotten. SSO consolidates authentication to one identity provider, reducing the credential surface area and giving you centralised visibility over who accesses what.

SSO options by stack:

Provider	Best For	Cost (AUD/user/month)	Phishing-Resistant MFA
Microsoft Entra ID	Microsoft 365 shops	$1.50–$10 (tier dependent)	Yes (FIDO2, Windows Hello)
Okta	Multi-app, non-Microsoft	$7–$14	Yes (FIDO2 via Okta Verify)
Google Workspace SSO	Google-native orgs	Included in Workspace ($8–$14)	Yes (Passkeys, Titan keys)
Authentik	Self-hosted, budget	Free (hosting only)	Yes (WebAuthn)

This week's action:

1. Inventory every SaaS app your team uses (ask each department for a list — you'll be surprised).
2. Prioritise apps that support SAML/OIDC federation.
3. Configure Entra ID or Okta as your IdP and federate the top 5 apps first (Google Workspace, Slack, GitHub, Salesforce, Atlassian are common).
4. Disable direct login to federated apps — force authentication through your IdP where MFA is enforced.

Google Workspace admins: enable SSO via Admin Console → Security → Set up single sign-on. Entra ID: Enterprise Applications → New application → select from gallery. Both support OIDC for modern apps and SAML for legacy.

3. IAM Cleanup: Kill Dormant Accounts and Enforce Least Privilege

Stale accounts are active attack paths. An employee who left six months ago still has Salesforce access? That's a breach waiting to happen. CIS Controls v8 Control 5 (Account Management) requires reviewing all accounts at least quarterly and removing inactive ones within 45 days.

Dormant account audit (do this today):

# Entra ID: Export users who haven't signed in for 30+ days
Connect-MgGraph -Scopes "AuditLog.Read.All","User.Read.All"
Get-MgUser -All | ForEach-Object {
    $last = (Get-MgUser -UserId $_.Id -Property SignInActivity).SignInActivity.LastSignInDateTime
    if (-not $last -or $last -lt (Get-Date).AddDays(-30)) {
        [PSCustomObject]@{ User=$_.UserPrincipalName; LastSignIn=$last; Created=$_.CreatedDateTime }
    }
} | Export-Csv dormant_accounts.csv -NoTypeInformation

Review the CSV. Disable accounts for departed staff. For contractors, set expiry dates on guest accounts. Entra ID P1 includes access reviews — schedule quarterly automated reviews for privileged roles (Global Admin, Privileged Role Admin). Remove anyone who doesn't need it.

Enforce least privilege:

• Convert permanent Global Admins to eligible-only via Entra Privileged Identity Management (PIM). Admins get the role only when they activate it, with justification and time limits.
• Google Workspace: use Admin Roles to scope permissions. Don't make everyone a Super Admin.
• Okta: use Groups + Application assignments. Never assign apps to individual users.

4. Password Policy: Stop Forcing Rotations, Start Enforcing Length

NIST SP 800-63B (part of the 800-63-3 suite) reversed the old guidance on password rotation. Periodic forced changes produce weaker passwords, not stronger ones. The current recommendation: require a minimum of 12–15 characters, block the top 1,000 breached passwords (HaveIBeenPwned API), and only force a reset on confirmed breach.

Password manager deployment (this week):

• 1Password Business: $7.99 USD/user/month (~$12 AUD). Includes admin console, usage reporting, and SSO integration with Entra ID/Okta.
• Bitwarden Business: $3/user/month (~$4.50 AUD). Open-source, self-hostable, SAML SSO support. Best budget option.

Deploy via SSO enrolment — don't let users set a separate master password if you can avoid it. Configure the password manager to auto-fill SSO-protected apps, eliminating the password as an attack vector entirely.

5. Zero Trust Identity Verification: Verify Every Request

Zero trust identity means no implicit trust based on network location. Every access request is authenticated, authorised, and continuously evaluated. You don't need a full zero trust architecture to start — identity-level zero trust is the foundation.

Quick wins:

• Conditional Access policies that evaluate device compliance, user risk, and sign-in risk before granting access. Entra ID P1 includes these signals natively.
• Session risk policies: If a user signs in from an unusual location, require step-up authentication or block outright.
• Device compliance: Require Intune-enrolled devices for corporate app access. Non-compliant devices get blocked or funneled through a restricted browser.

For self-hosted environments, Authentik's policy engine evaluates user, device, and geolocation signals before authentication. Open-source, no per-user cost, but requires more setup time.

FAQ

Conclusion

Identity security is not a project — it's a posture. This week, do three things: enable phishing-resistant MFA in your IdP, federate your top 5 apps via SSO, and export your dormant account list for immediate review. Total cost for a 20-person team: ~$200/month recurring plus $1,100 one-time for YubiKeys. That's less than the cost of a single phishing incident — and the ACSC reports the average SMB breach costs $40,000+ in lost productivity and remediation alone.

Start with the dormant account audit today. It takes 20 minutes and will likely surface at least one account that should have been disabled months ago.

Ready to secure your identity perimeter? Visit consult.lil.business for a free cybersecurity assessment. We'll review your current MFA posture, SSO coverage, and IAM hygiene — and give you a prioritised action plan.

References

1. NIST SP 800-63-3: Digital Identity Guidelines
2. ACSC Essential Eight Maturity Model — MFA Control
3. CIS Controls v8 — Control 5: Account Management
4. Microsoft Entra ID Documentation — Conditional Access & Phishing-Resistant MFA