Identity Hardening for the 5-Employee Company: The Real Minimum in 2026

Most of the breaches I see in small business networks do not start with malware. They start with somebody signing in. An attacker types a stolen password, completes an MFA prompt the user did not pay attention to, and from inside the user's mailbox quietly sets up forwarding rules and goes looking for invoices to redirect. The technical story is unglamorous. The financial damage is real. The defenses are not exotic. They just require somebody to set them up.

This is the post I wish every small business owner I have ever sat across from had read before our first call. It is the identity-hardening floor for a 5-to-25-person business running on Microsoft 365 in 2026. None of it is novel. All of it is fixable in a week. If you are reading this and recognizing that some of these are not in place, that is the project to start on Monday.

Why identity is the front door now

For most of the last decade, perimeter security was the dominant model: a firewall around the office, a VPN to get in from outside, antivirus on the workstations. That model assumed work happened on devices that lived behind the perimeter most of the time. It has not described the world for several years. The "perimeter" is now wherever your users sign in: a hotel Wi-Fi network, a phone in a coffee shop, a home laptop checking SharePoint at 9pm. Identity is what the cloud trusts to decide who you are. Identity is what an attacker has to defeat to look like you.

The numbers back this up. Microsoft's own threat intelligence reports have placed identity-driven attacks at the top of the breach-cause list for several years running. Cyber-insurance carriers, which see the claims data, have shifted from asking "do you have antivirus" to asking "do you have MFA on every account, and is it phishing-resistant on admins." The carriers do not move quickly. When they shift their questionnaires, it means the loss data has been telling them the same story for a long time.

The other reason identity matters more now is that the consequences are bigger. A signed-in user in Microsoft 365 has cached primary refresh tokens (PRTs), session cookies, and OAuth grants that can be stolen and replayed from anywhere in the world. The YellowKey BitLocker bypass I wrote about yesterday ends with the attacker reading the BitLocker volume, and the most valuable thing on that volume for a modern business is not the files; it is the cached tokens. Once the tokens are out, the attacker is the user as far as Microsoft 365 is concerned.

The five controls that actually move the needle

1. Phishing-resistant MFA on admin accounts; regular MFA on everyone

Multi-factor authentication is non-negotiable. The honest update for 2026 is that "MFA" no longer means one thing. Push-notification MFA, where you tap "Approve" on your phone, has been quietly losing the arms race for years. Two failure modes dominate:

• Push bombing. The attacker has the password and spams MFA prompts at 2am until the user taps Approve to make the buzzing stop. This works more often than anyone wants to admit.
• Adversary-in-the-middle phishing. The user clicks a link, lands on a real-looking Microsoft login page that is actually a proxy, types the password, completes the MFA prompt against the real Microsoft, and the proxy steals the resulting session cookie. The attacker now has a valid session without ever knowing the password's MFA secret.

The fix for both is phishing-resistant MFA: hardware FIDO2 keys (YubiKey, Feitian, Token2) or Windows Hello for Business with PIN+biometric. These work by cryptographically tying the authentication to the specific domain the user is signing into. An adversary-in-the-middle proxy at a different domain cannot complete the challenge, no matter how convincingly it imitates Microsoft's login page. The user cannot accidentally approve the wrong sign-in, because there is no "Approve" button.

The realistic deployment for a 5-employee business is: phishing-resistant MFA on every admin account (Global Administrator, Exchange Administrator, anything privileged) and a phishing-resistant option offered to every regular user, with strong push MFA acceptable as a fallback. Hardware keys cost about $25 to $50 each. Buy two per admin account so a lost key is not a lockout event.

2. Separated admin accounts

This is the one that gets the most resistance from owners and is one of the highest-impact changes. The pattern I see constantly is one account, owner@business.com, that is both the daily-driver mailbox and a tenant Global Administrator. The owner reads email from it. The owner clicks links from it. The owner runs PowerShell against the tenant from it.

The problem is that any phishing email that fools the owner has just compromised a tenant Global Admin. The blast radius is the entire Microsoft 365 environment: every user, every mailbox, every SharePoint site, every license. An attacker with a Global Admin token can disable MFA, create new accounts, mass-export mailboxes, and remove themselves from audit logs.

The fix is two accounts. The owner's daily account, owner@business.com, is a normal licensed user with no admin rights. A second account, owner-admin@business.com (or similar), holds the Global Admin role, has phishing-resistant MFA, is gated by a Conditional Access policy that requires a compliant device, and is used only for admin work. The two accounts do not share a mailbox, a browser session, or a password manager entry.

Microsoft Entra ID also supports Privileged Identity Management (PIM) on higher tiers, which makes the admin account "eligible" for Global Admin rather than holding it standing. The admin elevates for an hour at a time, with approval and logging. PIM is included in Entra ID P2 (part of Microsoft 365 E5 or available as an add-on). For a 5-person business it is overkill but worth knowing about as you grow.

3. Conditional Access: the rule engine you already paid for

Conditional Access is the Microsoft Entra policy engine that decides, for every sign-in, whether to allow it, block it, or require additional proof. It is included in Microsoft 365 Business Premium and is one of the most valuable features in the bundle. It is also one of the least-used. Most of the tenants I open up have Security Defaults enabled (better than nothing) but no Conditional Access policies tuned for their actual business.

The minimum set of policies for a 5-employee business:

• Block legacy authentication. Legacy auth protocols (Basic auth, IMAP, POP3, older Outlook) cannot do MFA. They are the easiest bypass an attacker has. Block them at the tenant level with a Conditional Access policy.
• Require MFA for all users. Belt-and-suspenders with Security Defaults: explicit policy, scoped to all cloud apps, with hardware key required for admins.
• Block sign-ins from countries you do not operate in. A Salinas-based plumbing contractor with a California-only customer base does not need to allow sign-ins from anywhere outside North America. Geo-blocking is one rule and cuts the credential-stuffing background noise dramatically.
• Require a compliant or Entra-joined device for sensitive apps. If a user's laptop is enrolled in Intune and reporting compliant, they can sign into the admin portal. From an unmanaged personal phone, they cannot. This is the policy that defeats most stolen-token replay attacks: even if an attacker has the cookie, their device is not enrolled.
• Sign-in risk and user risk policies. If Microsoft's threat intel flags a sign-in as high-risk (impossible travel, leaked credentials, anonymized IP), require MFA again or block. This is included in Entra ID P2 (Business Premium gives you P1; full risk policies need P2 or a step up to E5).

Conditional Access is also where I see the worst self-inflicted outages. A misconfigured policy can lock the entire tenant out, including the admin trying to fix it. Always create a break-glass account (a single non-MFA account with a long random password, monitored, used only in emergencies, excluded from all Conditional Access policies) before you start tightening policies. Anyone who has ever locked themselves out of their own tenant at 11pm understands why.

4. No persistent local administrators on workstations

This is the one that overlaps with privilege escalation bugs like GreenPlasma. Every ransomware case study I have ever read has a step in it where the attacker has code running as a standard user and needs to become Local System on the machine. Sometimes they do it with a zero-day. Most of the time they just notice that the user is also a local administrator, and "elevate" by re-running their code with a UAC prompt the user obediently approves.

The fix is to remove standing local administrator rights from every regular user account. The user can no longer install software, run elevated PowerShell, or accept their way through a UAC prompt to give an attacker SYSTEM. The local admin password is randomized and rotated by Microsoft Entra's built-in LAPS (Local Administrator Password Solution), so when IT actually needs admin on a specific machine, the password is retrievable from the Entra portal and rotates afterward.

The objection I hear: "But Ulises, my users need to install software." The honest answer is that they don't, most of the time. The cases where they do (a contractor installs a vendor tool, a designer needs to install a plug-in) are exceptions you can handle with a just-in-time elevation tool (CyberArk EPM, AutoElevate, Microsoft's Endpoint Privilege Management) or by IT installing it. Removing standing admin is the single highest-leverage workstation control I know of.

5. Legacy authentication off, tenant-wide

Legacy authentication is the catch-all term for the older Microsoft protocols that predate MFA: Basic auth on SMTP/IMAP/POP3, older Outlook clients (Outlook 2010 and earlier), older ActiveSync, the legacy Exchange Web Services flow. They are the path of least resistance for an attacker who has a valid password and wants to skip MFA entirely. Microsoft has been deprecating them for years, and as of 2026, most are off by default in new tenants. They are not off in older tenants.

Audit it. In the Entra ID portal, look at sign-in logs filtered for "Client app" = "Other clients." Anything showing up there is using legacy auth. Almost always it is a service account, an old printer, or a SMTP relay. Replace the legitimate uses with modern equivalents (OAuth, Microsoft Graph, SMTP AUTH submission with app password or modern auth) and disable legacy auth at the tenant level. The Conditional Access policy in the previous section enforces it; the underlying tenant setting makes it default-off.

What it costs and what it does not

Here is the rough math for a 5-person business that today has Microsoft 365 Business Basic or Business Standard and not much else:

• Microsoft 365 Business Premium upgrade: roughly $22 per user per month. For 5 users, about $1,320 per year. This gets you Entra ID Plan 1, Conditional Access, Intune, Defender for Business, and Defender for Office 365 Plan 1.
• FIDO2 hardware keys: $25-$50 per key. Buy two keys per admin account (lost-key insurance). For two admin accounts, four keys: $100-$200 one-time.
• Labor to configure: one to two engineer-days, depending on how messy the starting state is and how many shared mailboxes and legacy integrations are in scope.

For comparison, the median incident-response engagement for a small-business ransomware case I see runs $25,000 to $75,000, plus downtime, plus the chance of a breach notification that requires lawyers and customer letters. The math on prevention is not subtle.

What this does not solve: insider threats, supply-chain breaches at your vendors, malicious browser extensions, social-engineering attacks where the attacker calls your bookkeeper and convinces them to wire money. Identity hardening is necessary, not sufficient. It overlaps significantly with the cybersecurity mistakes I see in almost every small business, and it is part of the broader posture covered in our cybersecurity services page. If you want the recovery side of the plan, start with backup and disaster recovery.

What to do this week

1. Today: turn on Security Defaults if you have not already (Entra admin portal › Properties › Manage Security Defaults). This is the absolute floor and is free. If you have Conditional Access in place, leave Security Defaults off and rely on the policies.
2. Today: create a break-glass account. Long random password (40+ characters), no MFA, excluded from every Conditional Access policy you ever create. Store the password somewhere that survives a tenant outage (a printout in the safe is fine).
3. This week: order FIDO2 hardware keys for every admin account and the owner's daily account.
4. This week: identify every Global Administrator in the tenant. Most small business tenants have more than they should. The right number is two: the owner's separated admin account and one IT-provider account. Everyone else gets a least-privilege role.
5. This week: turn on the four core Conditional Access policies (block legacy auth, require MFA, geo-block where appropriate, require compliant device for admin portals). Test each one with the break-glass account in scope before rolling it tenant-wide.
6. This month: audit local administrators on every workstation. Remove standing rights, deploy Microsoft LAPS for Entra, document the process for the cases that legitimately need elevation.

The honest take

Identity hardening is not exciting work. Nobody puts a press release out about the day they removed standing local admin rights or finally turned on a Conditional Access policy. The reason it matters is that the alternative is the press release nobody wants: the breach notification, the customer letter, the carrier non-renewal. Every small business I have helped after a Microsoft 365 compromise has been one Conditional Access policy and one FIDO2 key away from the incident never happening.

The 5-person business has an advantage here, weirdly. The fewer accounts, devices, and integrations you have, the less there is to lock down. A two-day project in a 5-person environment is the same project that becomes a six-month rollout in a 200-person environment. The window when this work is easy and cheap is the window you are in right now. The window when it becomes expensive is the day after the breach.

If you are reading this and want a second opinion on where your tenant actually stands, that is what we do for small businesses across Salinas, Monterey, Santa Cruz, and the rest of the Central Coast. The 30-minute call is free, the answer is written, and the answer is yours to take to whoever you want to implement it.

FAQs about identity hardening for small business

What does "identity hardening" actually mean?

Identity hardening is the practice of making it harder for an attacker to sign in as your users, and less rewarding when they do. In practical terms for a small business that means phishing-resistant multi-factor authentication, Conditional Access policies that gate sign-ins, separation between everyday accounts and admin accounts, no persistent local administrators on workstations, and legacy authentication protocols disabled across the tenant.

Is MFA enough?

Not by itself anymore. Push-notification MFA is increasingly bypassed by push bombing and adversary-in-the-middle phishing kits that proxy the legitimate sign-in and steal the session token. The defensible posture in 2026 is phishing-resistant MFA (FIDO2 hardware keys or Windows Hello for Business) on admin accounts at minimum, paired with Conditional Access that requires a compliant device and blocks legacy authentication.

What does this cost for a 5-person business?

The realistic floor is Microsoft 365 Business Premium at approximately $22 per user per month, which bundles Entra ID Plan 1, Conditional Access, Defender for Business, and Intune. For 5 users that is about $1,320 per year of licensing. Add $100 to $200 one-time for FIDO2 keys on admin accounts. The labor to configure it well is the larger cost and is usually the reason it does not get done.

Why do you keep talking about "no persistent local admins"?

Because almost every ransomware case study has the same step in it: an attacker lands code as a regular user, finds that user is also a local administrator on their workstation, and uses that local admin to dump credentials and move laterally. Removing standing local admin rights on user laptops is one of the highest-leverage controls a small business can put in place. Microsoft LAPS for Entra makes it manageable without breaking IT troubleshooting.

Do I need separate admin accounts?

Yes. The owner who uses one account for daily email and also for Microsoft 365 tenant administration is one phishing click away from handing the keys to the attacker. The fix is to make a dedicated admin account that is used only for admin work, ideally with phishing-resistant MFA and Conditional Access scoped to compliant devices. The everyday account does not have admin rights and therefore cannot be tricked into using them.

What if a user loses their FIDO2 key?

That is why you buy two and enroll both, and why you have a break-glass account. The user falls back to their second key, or to a strong MFA method while a replacement is ordered. The break-glass account is for the worst case where every admin is locked out. Plan for the lost key on day one; the cost is small and the alternative is a stuck tenant.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.