Discover the most common identity security mistakes and how to detect them before attackers do.
Identity misconfigurations are the silent threat inside most enterprise environments. Unlike software vulnerabilities, they don't trigger patch advisories or CVE notifications — they accumulate quietly through administrative drift, legacy migration shortcuts, and incomplete deprovisioning. Here are the ten we encounter most frequently in customer environments.
Accounts belonging to departed employees or contractors that retain administrative rights long after the individual's last day. These are particularly dangerous because they often have broad permissions and weak or unknown credentials.
Service accounts, API keys, and managed identities with credentials that have never been rotated. Attackers who compromise a build server or CI/CD pipeline inherit these credentials with no expiry horizon.
A user added to Group A gains access to Resource B — not because of any direct assignment, but because Group A is a member of Group C, which holds the Resource B permission through a three-level nesting chain. These indirect paths are invisible to flat access reviews.
Accounts that have been delegated the ability to reset passwords, modify group memberships, or manage role assignments — but are not listed in the formal "Administrators" group. Common in environments where IT helpdesk staff receive delegated permissions outside the standard role model.
Temporary MFA bypass rules created to accommodate a system integration or a travelling executive that were never revoked. These create persistent authentication weak points that are trivially exploited.
Guest accounts in Entra ID or federated identities from partner organisations that have accumulated internal resource access over time. Without lifecycle governance, external identities persist and accumulate permissions indefinitely.
Administrative accounts or service accounts that show no authentication activity for 90+ days but remain enabled. Dormant does not mean safe — an attacker who discovers the credential has an undisturbed attack vector.
Overlapping Conditional Access rules where a permissive named-location policy negates a stricter MFA requirement policy. Policy logic errors are difficult to audit manually at scale.
Emergency access accounts with global admin rights that have no authentication alerting configured. These accounts are necessary — but every use should be a high-priority alert, not an invisible event.
Users who move between teams or roles and accumulate permissions from each previous position without the prior access being revoked. Over time, a junior analyst can end up with the aggregate access of three different roles.
Detecting these misconfigurations requires continuous comparison against a policy baseline — not a manual review checklist run once per quarter.
Book a personalised demo and see how IdentityFirst detects and remediates identity risks across your environment.