Why Identity Breaches Bypass Controls (And Why MSPs See Them First)
Most MSPs are no longer primarily concerned about missing patches.Instead, they are concerned that even fully patched, MFA-enabled, and 'secure' tenants can still be breached.This is because modern breaches are not about breaking controls.
They involve bypassing existing controls.Identity attacks do not directly defeat security measures.
Instead, they exploit trust within the system.MSPs are often the first to be contacted when such incidents occur.
The Myth: “We Have the Right Controls”
Most SMB environments appear secure on paper:
- MFA is enabled
- Conditional Access is configured
- Defender is running
- Password policies are “strong enough.”
However, identity breaches continue to occur.
Why is this the case? Because attackers no longer attack technology.
Instead, they target authentication processes.
Identity Breaches Don’t Trigger Alarms
Traditional security assumes attackers are noisy.
Identity attackers, however, often remain undetected. Once an attacker gets:
- a session token
- a consented app
- a legacy auth path
- a trusted mailbox rule
They don’t need to:
- brute force passwords
- trigger MFA challenges
- exploit vulnerabilities
They simply log in as a legitimate user would.
From Microsoft’s perspective: “This looks legitimate. ”From the business perspective, the concern is: “Why is money missing?”
The Real Reasons Identity Attacks Bypass Controls
1. Token Theft Ignores MFA Completely
MFA protects the authentication process, but not the session itself. If an attacker steals a valid token:
- MFA is already satisfied
- Conditional Access is bypassed
- No new login event occurs
The attacker isn’t initiating a new login. trusted session. This is why phishing kits increasingly target tokens rather than passwords. (Exclusive: Inside the six-year phishing attack targeting Microsoft tool, 2025)
2. Conditional Access Is Often Built for Compliance, Not Threats
Many MSP-built CA policies focus on:
- “Require MFA”
- “Block legacy auth.”
- “Trusted locations”
However, attackers adapt more quickly than policies can be updated. Common gaps MSPs see:
- No device compliance enforcement
- No sign-in risk conditions
- No token protection
- Exceptions added “temporarily” and never removed
While controls are in place, attack paths often remain accessible.
3. Consent Abuse Remains Significantly Underestimated (Li et al., 2025)
One malicious OAuth app with basic permissions can:
- Read mail
- Access files
- Maintain persistence without passwords
No MFA prompt.
No password change impact.
No user awareness. The attacker doesn’t need credentials; they just need approval. Users continue to click “Accept.”
4. Identity Attacks Often Resemble Normal Business Activity
This aspect is particularly dangerous. Identity breaches:
- Use normal IPs
- Access normal apps
- Send emails users expect
- Move slowly
No ransomware pop-up.
No system outage.
No screaming alerts.
Just:
- Changed payment instructions
- Silent data access
- Weeks of unnoticed activity (Shah et al., 2020)
By the time the finance team contacts the MSP, the damage has already occurred.
Why MSPs Experience These Challenges More Than Others
MSPs live at the intersection of:
- User behavior
- Business risk
- Platform limitations
When identity breaches happen:
- Clients blame “Microsoft.”
- Microsoft logs show “successful sign in: MSPs must explain how security measures failed despite appearing effective. failing
This is why identity security is now an MSP differentiator, not an add-on. (Why Identity Management is Foundational to Zero-Trust for SMBs, 2026)
What MSPs Should Actually Focus On
Not more tools.
Not more checkboxes.
Instead, the focus should be on improved identity visibility and enforcement:
- Token protection and sign-in risk policies
- OAuth app governance and consent reviews
- Device-based Conditional Access
- Shorter session lifetimes for high-risk roles
- User education focused on modern phishing, not just links
Identity security is no longer solely about preventing initial access.
It is about ensuring attackers cannot remain undetected within the environment.
Final Thought
If your security strategy assumes: “An attacker has to break something to get in. ”Your security posture is already at a disadvantage.
Modern identity breaches don’t break controls.
They use them exactly as designed.
MSPs who recognize this will be the ones clients trust when, not if, identity is compromised.
Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.
References
(February 3, 2025). Exclusive: Inside the six-year phishing attack targeting Microsoft tool. Axios. https://www.axios.com/2025/02/04/abnormal-security-microsoft-phishing-schools-government
Li, Y., Qiu, W., Shezan, F. H., Cai, K., Dam, M. v., Austin, L., Lie, D. & Tian, Y. (2025). Breaking the illusion: Automated Reasoning of GDPR Consent Violations. arXiv preprint. https://doi.org/10.48550/arXiv.2512.22789
Shah, N., Ho, G., Schweighauser, M., Afifi, M. H., Cidon, A. & Wagner, D. (2020). A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts. arXiv preprint arXiv:2007.14030. https://doi.org/10.48550/arXiv.2007.14030
(January 13, 2026). Why Identity Management is Foundational to Zero-Trust for SMBs. MSSP Alert. https://www.msspalert.com/perspective/why-identity-management-is-foundational-to-zero-trust-for-smbs.