Identity Security at Scale

The Company

A pan-European retail organisation operating across more than twenty countries, with over 12,000 corporate account holders spanning head office, regional operations, store management, and a significant third-party contractor workforce. Tens of thousands of additional retail staff accessed limited corporate resources. The technology landscape was complex: hybrid identity infrastructure, extensive use of personal devices, multiple languages, and an outsourced identity and access management (IDAM) function.

The Trigger

A sequence of adversary-in-the-middle (AiTM) phishing attacks resulted in multiple account compromises. AiTM attacks bypass traditional MFA by intercepting authentication tokens in real time — the user completes a legitimate sign-in, but the attacker captures the session. The compromises exposed a fundamental gap: the organisation believed MFA was broadly enforced, but the reality was far more fragmented.

What We Found

Tarbh Tech was engaged through a channel partner with an established relationship within the organisation. The brief was clear: stop the account compromises. The first step was to understand what was actually in place.

The Conditional Access environment told its own story. Over 70 policies had accumulated across at least three previous projects, each bearing the hallmarks of different authors, different eras, and different priorities. The naming conventions alone made it clear these were not the product of a unified strategy. A policy designed to ensure finance users in Germany had MFA did exactly that — but left every other user accessing the same applications completely unprotected, missing the point of the control entirely.

MFA enforcement was maintained through a tangled web of security group memberships — inclusion in one group, exclusion from another, some managed on-premises, others in the cloud. A significant cohort of users had never been addressed at all, on the basis that “they never access anything offsite” or similarly flawed reasoning.

The BYOD picture was equally concerning. The vast majority of corporate users were on Hybrid Joined Windows desktops, but senior executives were frequently on unmanaged Apple devices and had been quietly excluded from policy. Third-party contractors faced little to no enforcement. A formal BYOD approval process existed on paper, but because Conditional Access gaps meant many users were never actually blocked, thousands had never gone through it — and had no idea it was meant to apply to them.

Risk-based Conditional Access policies had never been used or even reviewed, despite all users — corporate and retail alike — having been licensed for them for years. Risk assessment data went back a decade, untouched. This is a finding Tarbh Tech encounters regularly: organisations duplicating capabilities they already hold licences for, simply because no one has mapped what’s available to what’s deployed.

What We Did

A new framework, built on evidence

Rather than attempt to rationalise 70+ legacy policies, we designed a new Conditional Access framework from the ground up — approximately 20 core policies, each following a “one policy addresses one condition” principle. This replaced the patchwork of narrowly targeted, overlapping, and contradictory rules.

Testing presented its own challenges. Due to the outsourced IDAM function and the organisation’s change control requirements, provisioning test accounts in the production tenant would have taken months. We stood up an independent test tenant to validate the framework — a pragmatic decision, though not without its own friction. Simple things became obstacles: who pays for test licences? How do you test geo-based access policies without a VPN service that someone needs to procure and expense?

In parallel with testing, we deployed Microsoft Sentinel for logging and used KQL queries extensively to understand real-world sign-in patterns, policy hits, and gaps. This evidence base was essential — it turned every conversation with stakeholders from opinion into data.

Phased deployment across six or more waves

We designed a communications strategy that identified cohorts of user accounts for sequential waves of deployment and enforcement, roughly one per month. Each cohort was isolated using dynamic membership security groups — necessary at this scale, where a single group could contain thousands of accounts. The core policies targeted parent groups; dynamic cohort groups were added into these parent groups and removed from legacy policy groups as each wave progressed.

The communications challenge was significant across 20+ countries and multiple languages. But the real risk wasn’t linguistic — it was structural. Contractors, in particular, had account names that appeared identical to regular employee accounts. They rarely used their organisational email or Teams, which meant they missed every communication about the need to enrol in MFA before enforcement.

When enforcement day arrived for one cohort, approximately ten developers — all contractors, all on BYOD devices, none enrolled in MFA — were blocked. They raised a P1 incident. Under the outsourced IDAM team’s established rules, the entire change for that cohort was reversed rather than fixing forward. It was a P1 that should not have been a P1, but it highlighted a gap in identity governance: without a reliable way to distinguish contractors from employees by account metadata, communications would always miss people.

To address this for subsequent waves, we implemented a targeted Conditional Access policy requiring acceptance of User Terms — a PDF explicitly stating that MFA enrolment was mandatory, that enforcement was coming on a named date, and that by agreeing, the user acknowledged they had been informed. No one could later claim they hadn’t been told.

The executive challenge

Senior executives were another matter entirely. Highly remote from the day-to-day challenges of IT and cybersecurity, most were using unmanaged Apple products — MacBooks, iPads, iPhones — and had been excluded from Conditional Access policies for years. From their perspective, their devices were “company owned” and therefore managed. The distinction between corporate ownership and Entra ID device compliance is not intuitive to anyone outside IT.

We worked through executive assistants and PAs to manage the rollout. In one case, we researched exactly how many MFA prompts the CEO had received over the previous 90 days (far too few), and provided an honest projection of what to expect going forward across Mac, iPad, and iPhone with Outlook, Teams, and other Microsoft apps. The “what if” conversations around executive MFA and Conditional Access enforcement were extensive — and extended the project timeline significantly.

Addressing the source

Conditional Access alone does not stop AiTM phishing. Separate workstreams addressed email security to reduce the flow of phishing emails reaching users in the first place. Risk-based Conditional Access policies — available for years but never activated — were deployed to detect and respond to anomalous sign-in behaviour. Country-based whitelisting further reduced the attack surface.

The risk assessment data presented a particular challenge. With records going back ten years and many users flagged as risky based on historical activity, enforcing risk-based policies immediately would have locked out a significant number of users. We adopted an “investigate and forgive” approach — reviewing flagged accounts, dismissing historical risk where appropriate, and setting a clean baseline from which new risk signals could be actioned.

The Results

The volume of AiTM account compromises dropped off a cliff.

The original 70+ Conditional Access policies have been consolidated to approximately half that number. A core framework of around 20 policies covers the organisation’s primary identity scenarios. Beyond that foundation, the team can now implement focused policies for specific use cases with confidence — because the baseline is understood, documented, and consistently enforced.

Every corporate account — including executives, contractors, and BYOD users — is now covered by the Conditional Access framework. MFA is enforced without exception. Risk-based policies are active and monitored. The approval process for BYOD access is no longer theoretical.

Most importantly, the in-house IDAM team now accurately understands how the framework works. They own it, they can extend it, and they can explain it to auditors. The engagement has moved from external dependency to internal capability.

Lessons for IT Leaders

Two things stood out from this engagement.

First, senior leadership must be more than supportive — they must be the first adopters. “I support this project” is not the same as “I enrolled in MFA this morning.” When executives are visibly subject to the same controls as everyone else, pushback from the rest of the organisation evaporates. When they’re excluded, every other exemption request gains legitimacy.

Second, Conditional Access is an excellent but frequently misunderstood tool. It evolves constantly as new identity threats emerge — AiTM phishing being a prime example. The gap between what an organisation believes is enforced and what is actually enforced can be vast, especially when policies have accumulated across multiple projects and authors over several years. Periodic expert review is not optional; it’s a security control in its own right.