Skip to content
Identity and access security notes workspace placeholder.
Identity & accessIdentity controls govern most Microsoft 365 access decisions. Start here when Conditional Access, admin roles or MFA exceptions are owned by memory rather than documentation.

Identity and access security notes

Microsoft Entra ID, Conditional Access, MFA, passkeys, privileged access and break-glass design - the controls that decide whether real attacks land.

Identity is where most Microsoft 365 security control actually lives. These notes cover Conditional Access rollout, MFA scope, passkeys, admin sprawl, OAuth consent, password spray defence and the boring break-glass design that saves you when policy goes wrong.

When to start here

Use this identity & access cluster when the issue is bigger than one setting and you need to understand the control family before changing it.

What to collect

Bring a named admin role list, the current Conditional Access policies, any recent audit log concerns and the last time access exceptions were reviewed. Guest users and OAuth app consents are worth listing separately.

Next decision

If the notes describe your current identity state, move to a scoped identity review. The practical trigger is a Conditional Access policy that nobody confidently owns or access exceptions that have never been formally reviewed.

Control questions

These questions turn the identity & access notes into a useful review brief before anyone touches policy.

  • Are Conditional Access policies documented, tested and owned by someone current?
  • Do privileged roles, guests, OAuth apps and break-glass accounts have a review habit?
  • Can the team explain why each MFA exception still exists?

Notes in this cluster

6 of 16 posts

© 2026 Magrathean UK Ltd. All rights reserved.

PRIVACY
TERMS