What is the difference between MFA and Conditional Access?

MFA (Multi-Factor Authentication) requires two or more verification factors to authenticate — for example a password plus a code from an authenticator app. However, not all MFA methods are equal: SMS and OTP codes are vulnerable to adversary-in-the-middle attacks, so organisations should choose phishing-resistant methods such as FIDO2 security keys and passkeys. Conditional Access goes further: it evaluates contextual signals such as device compliance, location, risk level and application sensitivity to decide in real time whether to grant access, require additional verification, or block the request entirely.

What is Microsoft Entra ID and how does it relate to Azure Active Directory?

Microsoft Entra ID is the new name for Azure Active Directory (Azure AD), effective since 2023. It is Microsoft cloud identity and access management platform, providing single sign-on, MFA, Conditional Access, Privileged Identity Management and integration with thousands of SaaS applications. All Azure AD features and licences have been carried over under the Entra ID brand.

How can an SME start implementing a Zero Trust approach to identity?

The first steps are practical and achievable for any organisation: enable MFA on all accounts (starting with admin and privileged users), eliminate shared credentials, adopt the least-privilege principle, configure Conditional Access policies based on risk, and monitor sign-in anomalies with identity protection tools. A free NIST CSF 2.0 assessment can help identify the most critical gaps.

Identity Management Day 2026: digital identity is the new security perimeter

Q: What is Identity Management Day?

Identity Management Day is a global awareness day held on the second Tuesday of April each year, promoted by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCA). Its goal is to raise awareness among businesses and individuals about the importance of managing and protecting digital identities.

Q: Why is digital identity considered the new security perimeter?

With the shift to cloud, remote work and SaaS applications, the traditional network perimeter has dissolved. Microsoft now blocks over 7,000 password-based attacks every second — a 75% increase year-over-year — with 97% of identity attacks using password spraying. The digital identity — username, password, MFA token, device, location — is the first and often the only line of defence an attacker must bypass to access corporate resources.

All news

5 April 2026·Identity ManagementZero TrustCybersecurityMFAMicrosoft Entra ID

Password attacks7,000/sec

MFA effectiveness99.9% blocked

Phishing increase+58% in 2025

Identity is the new security perimeter

The traditional network perimeter — firewalls, VPNs, physical boundaries — no longer defines where a company's security begins and ends. With cloud adoption, remote work and SaaS applications, the concept of a “network edge” has become meaningless. Today, the real perimeter is digital identity.

According to Microsoft's latest research, the platform blocks over 7,000 password-based attacks every second— a 75% increase year-over-year — with 97% of identity attacks using password spraying. Attackers no longer need to breach firewalls: they log in with stolen usernames and passwords, often obtained through phishing or credential stuffing. Once inside, lateral movement and privilege escalation become trivially easy without proper identity management.

Identity Management Day 2026: a global call to action

Identity Management Day, celebrated on the second Tuesday of April, was created by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCA) to raise awareness about the critical role of identity security. The 2026 edition is especially relevant: phishing attacks rose 58% in 2025, and identity-based attacks are the leading initial access vector across every industry.

The message is clear: protecting digital identities is no longer optional — it is the single most impactful action any organisation can take to reduce cyber risk. And it starts with the basics: eliminating shared passwords, enforcing MFA (Multi-Factor Authentication), and implementing least-privilege access.

Microsoft Entra ID: the identity control plane

For organisations using Microsoft 365, Microsoft Entra ID (formerly Azure Active Directory) is the backbone of identity and access management. It provides single sign-on across thousands of applications, Conditional Access policies, Privileged Identity Management (PIM), and identity protection with machine-learning-driven risk detection.

Yet many organisations still use Entra ID at a fraction of its potential: MFA disabled for some users, Conditional Access not configured, admin accounts without PIM, and no monitoring of risky sign-ins. This leaves the front door wide open.

MFA, Conditional Access and Zero Trust

Microsoft reports that MFA blocks 99.9% of automated credential attacks. Yet adoption remains alarmingly low: many SMEs still rely solely on passwords, especially for non-admin accounts. The three pillars of modern identity security are:

1MFA (Multi-Factor Authentication)— not just any MFA: SMS and OTP codes are vulnerable to adversary-in-the-middle attacks that intercept them in real time. Configure phishing-resistant methods (FIDO2 security keys, passkeys, Windows Hello for Business) and disable weak fallbacks to truly protect every account.
2Conditional Access— evaluate context (device compliance, location, sign-in risk, application sensitivity) to dynamically grant, challenge or block access. This turns static allow/deny rules into intelligent, risk-based decisions.
3Zero Trust— never trust, always verify. Every access request is authenticated, authorised and continuously validated, regardless of network location. Identity is the foundation of every Zero Trust architecture. Our cybersecurity services.

Five actionable steps for your organisation

Identity security does not require a massive budget or a multi-year transformation programme. These five steps deliver immediate, measurable risk reduction:

1Enable MFA on every account— start with admin and privileged users, then extend to all employees. Prioritise phishing-resistant methods like FIDO2 security keys and passkeys. Traditional SMS-based MFA is better than nothing but does not protect against sophisticated adversary-in-the-middle attacks. Disable weak fallbacks wherever possible.
2Eliminate shared credentials— every user must have a unique identity. Shared accounts make audit trails meaningless and breach containment impossible.
3Implement least-privilege access— grant only the minimum permissions needed for each role. Use Privileged Identity Management (PIM) for just-in-time admin access.
4Configure Conditional Access policies— block sign-ins from non-compliant devices, enforce MFA for risky locations, and require device compliance for sensitive applications.
5Monitor and respond to identity threats— enable sign-in risk policies, review risky users reports, and integrate identity signals with your EDR/XDR platform for correlated threat detection.

Sources

Verizon — Data Breach Investigations Report (DBIR) 2025
Microsoft — Digital Defense Report 2025
Identity Defined Security Alliance (IDSA) — Identity Management Day 2026
ENISA — Threat Landscape 2025
Clusit — Rapporto sulla sicurezza ICT in Italia 2026

Learn more

Digital identity management Cybersecurity services EDR and XDR NIS2 Directive Microsoft 365 Password Checker Certifications

Frequently asked questions about digital identity management

Answers to the most common questions about identity security, MFA, Conditional Access and Zero Trust.

Is your identity security up to the challenge?

We design and manage identity and access management solutions based on Microsoft Entra ID, with MFA, Conditional Access and Zero Trust. Start with a free security posture assessment.

Free NIST assessment Contact us

Identity Management Day 2026Digital identity is the new perimeter