top of page
Search

When Your Identity Becomes the Attack Surface

  • Writer: David Long
    David Long
  • Jul 17
  • 4 min read

Updated: Aug 8

Visual representation of Entra ID as the digital brainstem of the enterprise, with connections branching out to Microsoft 365, Teams, SharePoint, Azure, Salesforce, and other SaaS applications. Central identity core highlighted with glowing neural-style pathways representing access, trust, and control.
When identity fails, everything fails. The most dangerous breach path now starts with Entra ID.

Why Immutable Entra ID Recovery Is Now a Board-Level Mandate

When identity fails, everything fails.

Entra ID has become more than just a login service, it’s the digital brainstem of your entire enterprise. And when it’s compromised, the blast radius can take out everything from Microsoft 365 and Teams to Azure, Salesforce, and beyond.

In a world of privilege escalation, MFA fatigue attacks, and rogue admin resets, your recovery strategy can’t end at the file level.

It has to start at the identity layer.

This is why immutable identity recovery is now a non-negotiable part of SaaS resilience.


Illustration showing a blocked login screen with overlay text: ‘You don’t just lose access — you lose the ability to recover.’ Visual elements include red warning icons, faded Microsoft 365 app symbols, and a locked-out identity interface to convey loss of control after an Entra ID compromise.
When your Entra ID is deleted or corrupted, it’s not just downtime. It’s system-wide amnesia - and without recovery, you’re starting from zero.

“You’ve lost access to your cloud."

MFA resets don’t work. Conditional Access can’t be rolled back. Because the system that controls it all has been hijacked.”

That’s not a future scenario. It’s already happened.

In April 2025, Marks & Spencer (M&S) and the Co-op were both targeted by attackers who reportedly used helpdesk impersonation and social engineering tactics to reset credentials and escalate access within their identity systems.

These weren’t zero-days. They weren’t sophisticated exploits. They were identity-layer failures, where compromised Entra ID permissions enabled widespread disruption and data exposure.


🎯 Identity Is No Longer Just a Login


It’s your:

  • ✅ Root of trust

  • ✅ Security policy engine

  • ✅ Access control for Microsoft 365, Google Workspace, Salesforce and more

  • ✅ App federation controller

  • ✅ Recovery authority


Entra ID (formerly Azure AD) underpins everything - from SharePoint and Power BI to Microsoft Teams and custom SaaS integrations.

When attackers gain access - whether via phishing, helpdesk manipulation, or stolen tokens - they gain privileged control over your entire SaaS estate.

At M&S, the breach caused nearly six weeks of disruption (still continuing), with reported market losses between £700–930 million.

At Co-op, 6.5 million member records were accessed — and services were impacted across grocery stores and funeral homes.

Once identity is breached, there’s only one thing that matters: how fast you can take back control.


Graphic sequence showing the stages of an identity-layer breach: attacker gains access, elevates permissions, and removes MFA. Visual includes icons for user impersonation, privilege escalation, and disabled MFA, illustrating the cascading impact of compromised Entra ID.
Every minute between breach and recovery gives attackers more control. Stop the chain - with immutable identity restore

🚫 Microsoft Doesn’t Back You Up

Microsoft’s own documentation is explicit:

“You’re responsible for the protection of your identity configuration, groups, and roles.”

If attackers:

  • Delete roles

  • Remove MFA requirements

  • Tamper with Conditional Access

  • Corrupt security policies


…there’s no native rollback.


The Entra recycle bin is limited. And it won’t help with configuration drift, mass escalation, or log tampering.


Without a purpose-built backup, most teams are left with:

  • ❌ Manual rebuilds from screenshots

  • ❌ Guesswork on privileges and access

  • ❌ Hours to days of downtime and exposure


🔄 What Recovery Should Actually Look Like

Imagine the M&S or Co-op teams had access to:

  • ✅ Immutable, point-in-time Entra ID snapshots

  • ✅ Granular rollback of roles, users, and policies

  • ✅ Recovery infrastructure outside of Microsoft’s cloud


It wouldn’t have prevented the initial attack. But it would’ve changed the outcome:


  • ⏱️ Shrunk the attack window

  • 🧹 Wiped out attacker persistence

  • 🔐 Reinstated MFA and Conditional Access

  • 📁 Preserved tamper-proof logs for investigation


🛡️ What Keepit Enables

With Keepit, Entra ID is backed up immutably and independently - so even if identity is compromised, recovery is instant and assured.


✅ Comprehensive Coverage

  • Users, groups, roles, and service principals

  • Conditional Access policies, device trust

  • App registrations, BitLocker keys, audit logs


✅ Immutable Snapshots

  • Cryptographically chained

  • Tamper-proof

  • Stored out-of-band from Azure


✅ Granular Recovery

  • Restore a user, group, or full policy structure

  • Roll back permissions with precision

  • Re-enable MFA, reverse privilege changes


✅ Audit & Compliance Power

  • Preserve logs even if attackers delete them

  • Meet CPS 230 and Essential Eight expectations

  • Enable fast incident response with full visibility


Comparison table showing the difference between environments without immutable identity recovery and those protected by Keepit. Rows include common threat scenarios such as helpdesk impersonation, MFA removal, app or group deletion, and log tampering. The ‘Without’ column shows outcomes like privilege escalation, unrestricted access, and no audit trail. The ‘With Keepit’ column highlights instant rollback, recovery from a known-good state, and immutable forensic records.
Recovery isn’t optional. It’s the only way to reverse control once identity is compromised.

💬 What CISOs Should Do Next


  • ✅ Audit your Entra ID backup coverage Are you backing up everything - or just users?

  • ✅ Check for cloud independence If your backups live in Azure, they’re part of the blast radius.

  • ✅ Run an identity recovery drill How long does it take to:

    • Restore deleted Conditional Access?

    • Re-enable MFA?

    • Roll back a compromised role?

    • Recover the trust layer?


If the answer isn’t “minutes,” you’re not ready.


🧠 Final Thought: Identity Resilience Is Cyber Resilience

There’s no such thing as 100% prevention anymore. Attackers will get in. The only question is:

How fast can you take back control?

If Entra ID is your SaaS brainstem, your recovery strategy can’t be limited to files and mailboxes.


It has to start at the top - with the identity layer.


With Keepit recovery isn’t an afterthought.

It’s your first move. Your fastest move. Your advantage.

🤝 Why FullBackup

FullBackup is a trusted Keepit partner - already supporting large enterprises, government agencies, manufacturers, and not-for-profits across Australia and New Zealand.

We don’t just sell backup. We help organisations protect what matters most - identity, compliance, and control - across Microsoft 365, Entra ID, and all critical SaaS platforms.

Whether you're governed by CPS 230, navigating Essential Eight uplift, or simply closing the gaps left by Microsoft’s native tools - we help you recover faster, with confidence.



Download a copy of this blog post:


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page