Identity & MFA Security Assessment (Representative)
Watheq Zboun
Representative engagement. Illustrative and anonymized.
Identity & MFA Security Assessment (Microsoft Entra)
The brief. A 600-user professional-services firm, preparing for a cyber-insurance renewal, asked one question: are we actually protected, or just paying for licenses?
Identity Secure Score 52 vs. a target of 78, with the Conditional Access gaps.
The challenge. They had Microsoft 365 E5 but a half-configured identity layer, plus a renewal questionnaire that required phishing-resistant MFA they were not sure they had.
What I did.
Scored their identity posture against the Microsoft Zero Trust model and Identity Secure Score (read-only).
Audited Conditional Access for gaps, drift, and legacy authentication still left open.
Mapped every finding to a fix and sequenced it into a 90-day roadmap.
Two of fourteen findings.
Admins not phishing-resistant. Global Admins used app-push MFA, which adversary-in-the-middle kits bypass in seconds. Fix: FIDO2 and passkeys for all admins, with break-glass on hardware keys.
Why app-push MFA wasn't enough, and how FIDO2/passkeys fix it.
Conditional Access built by hand and drifting. No version control, overlapping policies. Fix: a 12-policy Conditional-Access-as-Code framework with regression testing.
The outcome (illustrative). A board-ready scorecard showing Identity Secure Score 52 against a target of 78, a Conditional Access gap analysis, and a prioritized roadmap that satisfied the insurer's MFA requirement. Read-only assessment, no changes made during the engagement.
Every finding mapped to a fix and sequenced into a 90-day roadmap.
Tools: Microsoft Entra ID, Conditional Access, Multi-Factor Authentication, Microsoft Secure Score.
Figures illustrative, representative of a typical engagement.
Like this project
Posted Jun 6, 2026
Representative engagement: an identity posture scored against Microsoft Zero Trust, with the gap to insurable closed in 90 days.
