For years, cybersecurity conversations started with the firewall.

And to be clear, firewalls still matter. They help protect your network, control traffic, and reduce exposure. But the way people work has changed. Employees are no longer sitting behind one office network, using only company‑owned devices, and accessing only internal applications.

Today, your team logs in from home, client sites, cafés, airports, and mobile or personal devices. They rely on cloud services like Microsoft 365, Teams, SharePoint, SaaS platforms, AI tools, and remote access systems to do their jobs.

In that world, the real security perimeter is no longer just your office network.

It is your users and how they access your systems.

Why identity has become the main target

Attackers often don’t need to “break in” anymore. In many cases, they simply log in.

If an attacker can steal a password, trick a user into approving a sign‑in, or compromise an email account, they may gain access without triggering traditional security alarms.

That’s why identity security is now one of the most critical areas of modern IT security.

In Microsoft 365 environments, user accounts often provide access to email, shared mailboxes, SharePoint and OneDrive files, client data, financial information, cloud applications, and third-party platforms. When one account is compromised, the impact can escalate quickly.

We’ve seen situations where a single compromised mailbox led to invoice fraud attempts, internal phishing, password resets across multiple systems, and even lateral movement into administrative access.

Passwords are not enough

Many SMBs still rely too heavily on passwords. The challenge is that passwords are reused, guessed, stolen and phished. Even a strong password becomes useless if it’s entered into a fake login page.

This is where multi‑factor authentication, or MFA becomes essential.

MFA dramatically reduces the risk of a stolen password turning into a successful compromise. But in practice, MFA is often:

• Enabled inconsistently
• Using weaker methods
• Not enforced for all users or admins
• Lacking visibility into risky sign‑ins

MFA is an important first step, but it’s not a complete security strategy.

Access should match the role

Another recurring issue we see during security reviews is over‑permissioned users.

As employees change roles or join projects, access is rarely cleaned up. Over time, permissions accumulate quietly, increasing risk. If one of these accounts is compromised, attackers gain far more access than necessary.

Applying the principle of least privilege means regularly reviewing:

• Administrator and elevated roles
• Shared mailboxes and service accounts
• Guest and external user access
• Sensitive SharePoint libraries and Teams
• Legacy users and unused accounts

Conditional Access is the new security gate

Conditional Access is one of the most impactful identity security tools available to SMBs.

It shifts security from simply asking “who are you?” to asking:

Who are you, how are you logging in, from where, on what device, and under what conditions?

Instead of treating every login the same, Conditional Access allows you to apply rules based on user role, device status, location, sign-in behaviour, risk signals, and application sensitivity.

For example, you can:

• Require stronger authentication from unfamiliar locations
• Block access to sensitive data from unmanaged or personal devices
• Apply stricter controls to administrative accounts
• Limit access to high-risk applications outside business hours

Many organizations already have Conditional Access available, but it is often underused, misconfigured, or copied from generic templates.

When properly designed, it creates a security gate that adapts to users and risk without unnecessarily slowing down the business.

Putting Conditional Access Into Action

Conditional Access is powerful but works best when it is carefully designed around real users, real risks, and real business operations.

In our Conditional Access service projects, we help clients:

• Review current sign-in behaviour, including locations, devices, applications, and risky patterns
• Identify high-value users, applications, and data that need stronger protection
• Design and safely implement policies without disruption
• Tighten third-party application access and user consent settings
• Strengthen email security, including Defender for Office 365, spoofing protections, allow lists, quarantine settings, and SPF, DKIM, and DMARC
• Review external sharing in Teams, SharePoint, OneDrive, and Exchange
• Fine-tune rules over time as work patterns evolve

Identity security is business protection

Identity security isn’t just an IT concern. It directly affects business continuity, operational risk, and client trust.

Weak identity controls can expose organisations to email compromise, ransomware, data leaks, and costly downtime.

The firewall still plays an important role but today how your users access your systems matters just as much.

How Present helps

At Present, we help SMBs strengthen identity security through:

• Microsoft 365 and Entra ID security tuneups
• Conditional Access design and implementation projects
• Role‑based access controls and privilege review
• Ongoing monitoring and optimisation

Not sure where your biggest identity risks are hiding?

An Audit Flash can quickly identify gaps in security before they turn into real incidents.