- Most breaches start with a stolen or guessed password, so sign-in controls matter more than antivirus.
- Entra ID Plan 1 provides MFA, conditional access, single sign-on, and self-service password reset in Business Premium.
- Conditional access can block risky logins by context, like an unknown device signing in from another continent at night.
- The protection only exists once someone enforces MFA for all users and defines the conditional-access policies.
The most valuable security tool in Microsoft 365 Business Premium isn't antivirus. It's identity, the system that decides who gets in, from where, and how. It's called Microsoft Entra ID, and Business Premium includes the Plan 1 tier that small businesses rarely use to the full.
Why identity is the front door
Most breaches don't start with someone defeating your antivirus. They start with a stolen or guessed password. So the controls around how people sign in matter more than almost anything else, and Entra ID Plan 1 gives you the good ones:
- Multi-factor authentication (MFA): a second proof of identity beyond the password, which blocks the large majority of account-takeover attempts on its own.
- Conditional access: rules that decide whether to allow, challenge, or block a sign-in based on context, like the country it's coming from, whether the device is known and healthy, or how risky the attempt looks.
- Single sign-on: one secure identity across your apps, so people aren't reusing the same weak password in ten places.
- Self-service password reset: users recover their own accounts safely, instead of filing a ticket and waiting.
The combination that matters most: MFA on everyone, plus conditional access that quietly blocks the logins that have no business happening, like a sign-in from another continent, on an unknown device, in the middle of the night. Together they shut the front door that most attacks walk through.
The catch: it has to be configured
Entra ID Plan 1 is in the box, but the protection only exists once someone sets the policies: enforce MFA for all users, define the conditional-access rules, and enroll people in self-service reset. Out of the box, it's potential, not protection. That setup, and keeping it tuned as the business changes, is a core part of what managed and co-managed IT delivers.
It also pairs with a change worth making while you're in there: retiring forced password expiration, which Microsoft and federal guidance now discourage, in favor of MFA and reset-on-compromise.
What to do about it
Two questions tell you where you stand: is MFA truly enforced for every account, with no exceptions, and do you have conditional-access rules blocking obviously risky sign-ins? If either answer is fuzzy, the controls you're paying for aren't fully working.
If you'd like to know whether your identity protection is actually switched on and tuned, we're happy to check. Let's talk it through.