Identity Protection Alerts Do Not Automatically Prevent Attacks: Implications for Your Business
NOTE: This advisory is based on our evidence from the f11.ca lab experiment (EID-EXP-004), in which we reproduced the issue.
For engineers asking how this works technically.
Technical Deep Understanding (ITBlogs)
Many Microsoft 365 tenants have robust security tools in place:
- MFA is turned on
- Microsoft Entra Identity Protection is licensed.
- Alerts are being generated.
As a result, many business owners assume:
“We’re protected.
”However, the reality is different:
Alerts alone do not provide protection.
Microsoft Entra Identity Protection is excellent at detecting suspicious sign-ins, such as:
- Sign-ins from another country
- Anonymous VPN / proxy traffic
- Suspicious login patterns (What is Microsoft Entra ID Protection?, 2025)
In many environments, these alerts do not automatically block access. (Remediate risks and unblock users - Microsoft Entra ID Protection | Microsoft Learn, 2025)This can leave the tenant in a vulnerable position: Risk detected
Alert logged
User still gets access
The attacker may still get access
A common misconception: “MFA passed, so it’s fine.”
This misconception often leads to security breaches. (Exclusive: Inside the six-year phishing attack targeting Microsoft tool, 2025)For example, a suspicious sign-in may occur, MFA is approved, and access is granted.
Administrators often assume:
“The user passed MFA, so we’re safe.”
However, attackers may use techniques such as:
- stolen passwords
- MFA fatigue (push spam)
- social engineering (Security guidance - Protect identities and secrets - Microsoft Entra | Microsoft Learn, 2024)
Therefore, a successful MFA does not always indicate a legitimate login. (Unit, 2025)
Business Impact
If this gap remains, the business faces significant risks: (Gaps in cyber protection leave businesses vulnerable to AI-enhanced threats, Kaspersky study finds, 2024)
1) Higher chance of account compromise
The system may detect suspicious activity but does not prevent it.
2) Higher breach costs
If an attacker gains access, potential consequences include:
- email compromise
- invoice fraud
- data theft
- business disruption (New Ponemon Research Reports Business Email Compromise Attacks Result in Highest Costs, 2021)
3) Insurance and compliance issues
Many cyber insurance and compliance frameworks require:
- enforcement controls
- automated remediation
- not just alerts (Automated Cybersecurity Compliance and Risk Management, 2026)
Recommended Solution
To ensure effective protection, tenants should enforce remediation through Conditional Access. For example:
- If an account is high-risk → force a password reset.
- If a sign-in is risky → require additional verification.
This approach transforms alerts into actionable responses.
Key Takeaway
If your security tools only generate alerts, attackers may still gain access.
Detection is valuable, but enforcement is essential to prevent compromise.
Need help validating this in your tenant?
This risk exists in most Microsoft 365 tenants.
References
(2025). What is Microsoft Entra ID Protection?. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection
(2025). Remediate risks and unblock users - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock
(February 3, 2025). Exclusive: Inside the six-year phishing attack targeting Microsoft tool. Axios. https://www.axios.com/2025/02/04/abnormal-security-microsoft-phishing-schools-government
(2024). Security guidance - Protect identities and secrets - Microsoft Entra | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/fundamentals/zero-trust-protect-identities
Unit, G. R. (May 6, 2025). Guardz Uncovers Sophisticated Campaign Exploiting Legacy Authentication in Microsoft Entra ID. PR Newswire. https://www.prnewswire.com/news-releases/guardz-uncovers-sophisticated-campaign-exploiting-legacy-authentication-in-microsoft-entra-id-302448704.html
(December 4, 2024). Gaps in cyber protection leave businesses vulnerable to AI-enhanced threats, Kaspersky study finds. Kaspersky. https://www.kaspersky.com/about/press-releases/gaps-in-cyber-protection-leave-businesses-vulnerable-to-ai-enhanced-threats-kaspersky-study-finds
(November 30, 2021). New Ponemon Research Reports Business Email Compromise Attacks Result in Highest Costs. M3AAWG. https://www.m3aawg.org/blog/new-ponemon-research-reports-business-email-compromise-attacks-result-in-highest-costs
(2026). Automated Cybersecurity Compliance and Risk Management. CyberMSI. https://cybermsi.com/services/sca-solution/