Firewalls still matter. For cloud-first organizations, though, identity is the control plane: who can sign in, from which device, to which app, and with how much privilege. Most modern breaches in SMBs start with stolen credentials, token abuse, or over-permissioned accounts—not exotic zero-days.
This guide explains identity and Zero Trust in practical language for teams of roughly 10–250 people. It pairs with our Microsoft 365 Security Guide and the shorter What is Zero Trust? article.
Why identity is the new perimeter
Users work from home, airports, and phones. SaaS apps sit outside your office network. If an attacker has a valid username, password, and a weak second factor, they often look like a legitimate remote employee.
- Email compromise → invoice fraud and data theft
- Admin compromise → tenant-wide damage
- OAuth app abuse → persistent access without your password
Investing in identity reduces the blast radius of almost every other control.
Zero Trust without the buzzwords
Zero Trust is a strategy, not a product SKU. The useful ideas for SMBs:
- Verify explicitly — strong authentication, context-aware access
- Least privilege — only the access needed for the job (least privilege)
- Assume breach — limit lateral movement; monitor privileged use
You do not need to rebrand your company around Zero Trust posters. You need MFA, Conditional Access, cleaner admin rights, and healthier devices.
MFA maturity
Not all MFA is equal. A practical ladder:
- Any MFA beats passwords alone
- Authenticator apps with number matching beat SMS for most users
- Phishing-resistant methods (FIDO2 security keys, passkeys) for admins and high-risk roles
Read: What is MFA?, Phishing-resistant MFA, Passkeys for business.
Conditional Access as policy
Conditional Access is how Microsoft Entra turns identity signals into decisions: allow, block, or require controls.
A solid SMB baseline often includes:
- Require MFA for all users
- Block legacy authentication
- Require MFA for Azure management / admin portals
- Stricter rules for privileged roles
- Optional: compliant device requirements for sensitive apps
Detail: Conditional Access for SMBs.
Privileged access
Standing Global Admin rights are convenient and dangerous. Prefer:
- Few permanent highly privileged accounts
- Just-in-time or temporary elevation where practical
- Separate admin accounts from daily email
- Monitored break-glass accounts (break-glass)
Article: Privileged access for SMBs.
Passkeys and phishing resistance
Passkeys and FIDO2 security keys bind authentication to the real site/app, which blocks many classic phishing kits. They are not mandatory for every user on day one—but they are an excellent target for administrators and finance leaders.
Apps and OAuth risk
Users can grant third-party apps access to mail and files. Attackers abuse this with malicious OAuth consent prompts. Hygiene includes:
- Review enterprise applications and permissions
- Restrict user consent where business allows
- Remove stale apps after projects end
Joiners, movers, leavers
Identity security fails at HR moments:
- Joiners: least privilege from day one; MFA enrolled before access to mail
- Movers: role changes update group membership, not leftover access
- Leavers: disable accounts the same day; revoke sessions and devices; transfer ownership of files
A one-page offboarding checklist prevents more incidents than another dashboard.
Where SMBs should start this month
- 100% MFA on interactive accounts
- Inventory Global Admins; cut the list
- Block legacy authentication if nothing critical breaks
- Write Conditional Access baseline policies in report-only, then enforce
- Pilot passkeys/security keys for IT admins
- Quarterly access review for guests and ex-employees
Want this applied in your tenant?
Book a free 15-minute review. We can walk your Microsoft 365 and identity posture and recommend a sensible next step—including ImpetraInsights™ when a formal baseline helps.