Identity attacks are no longer a question of “if”; they’re a question of “when.” Microsoft’s Digital Defense Report recorded 600 million identity-based attacks every single day in 2024. In fact, 93% of all cyberattacks now target identity systems, and 58% of organizations expect that number to grow. If your organization relies on Microsoft Entra ID, which virtually every modern enterprise does, you need a plan not just to resist these attacks, but to recover from them quickly and completely when one gets through.
This post walks through exactly how these attacks happen, where most organizations are exposed without realizing it, and what real recovery looks like.
Identity is Your New Perimeter
For years, enterprise security investment flowed toward the network edge, including firewalls, intrusion detection, and perimeter hardening. Now, that model is obsolete. With the shift to SaaS-based applications like Microsoft 365, Salesforce, Workday, and ServiceNow, the perimeter has moved. Today, your perimeter is your identity layer.
Microsoft Entra ID sits at the center of almost every modern organization. It controls who your users are, what groups they belong to, what applications they can access, and how every system authenticates against every other one via single sign-on. Breach Entra ID, and you haven’t just compromised one system; you’ve handed an attacker the keys to your entire connected environment.
The rise of AI agents and non-human identities means organizations will soon manage dozens of machine identities for every human user. Some analysts predict up to a hundred. Either way, each one of these machine identities is a potential attack surface, and each one needs to be protected.
How Fast an Attacker Can Own Your Environment
The most dangerous identity attacks don’t look like attacks at first. Consider what’s known as a watering hole attack, a technique that’s becoming increasingly common among sophisticated threat groups.
These attacks start on legitimate websites like LinkedIn, which is where the “watering hole” comes into play. An attacker creates a convincing fake company with a professional page, targeted advertising, and a value proposition calibrated to appeal to IT administrators or infrastructure managers. This ad surfaces in the feeds of people who are most likely to have elevated Entra ID privileges. If someone clicks through, the site looks legitimate.
The victim is often prompted to authenticate their work account to access a “free AI-powered audit.” They use the standard Microsoft device login flow, which is the same process they use every day. No suspicious email, no unusual-looking link, and no malware download. Just a normal OAuth consent prompt that, once approved, hands the attacker a valid authentication token. It is worth noting that this is a numbers game, not every potential victim will have the elevated rights required but enough of them to do make it this scam a lucrative business.
From this point, the timeline is brutal:
- Token captured. The attacker can now read personal emails, access OneDrive, and begin elevating themselves out of the personal context of just the user.
- Persistence installed. Because personal tokens expire, the attacker registers a backdoor application inside the tenant with elevated and more global permissions. Even if the victim changes their password, access remains.
- Lateral movement begins. With application-level permissions, the attacker can enumerate every user in the directory, access any OneDrive, modify user attributes, and delete data across the organization.
- Rogue admin created. A new global administrator account is inserted into the tenant with multi-factor authentication (MFA) disabled. The attacker now has their own durable credentials.
- SSO exploited. Because Entra ID controls are single sign-on, that rogue admin account can be added to any enterprise application, including Salesforce, Workday, and ServiceNow. The breach spreads beyond Microsoft 365 entirely.
All of this can happen in minutes, and increasingly, AI is accelerating every stage of it. Data exfiltration now happens three times faster in AI-powered attacks with the ability to identify high value data that is second to none, from reconnaissance all the way through to extraction.
Here is the part most IT teams don’t fully internalize until it’s too late: Microsoft secures the platform, but you’re responsible for what’s inside it.
Microsoft guarantees uptime, resilience, and security updates for the Entra ID and Microsoft 365 infrastructure. That is their job, and they do it well. That said, the identity objects inside your tenant, including your users, groups, roles, application registrations, and audit logs, are still your responsibility. The data your organization creates inside SharePoint, OneDrive, Exchange, and Teams is also yours. Microsoft’s built-in retention is short, typically 30 days or less, with significant gaps in granularity, and therefore not very resilient when it comes to protecting your data.
This is the same shared responsibility model that applies to virtually every SaaS platform you use. Salesforce is responsible for Salesforce uptime, but you are ultimately responsible for your Salesforce data.
Most IT organizations have internalized this for traditional infrastructure. They back up their file servers, they back up their virtual machines (VMs), and they have recovery plans for on-premises systems. But identity? Entra ID? That still gets treated as infrastructure that “just works,” right up until it doesn’t.
Recovery is the Strategy
Preventing every identity attack is not a realistic goal. The threat volume is too high, the techniques too varied, and AI is making attackers faster and more targeted with every month that passes. The organizations that will weather these attacks best are the ones that can recover to a clean state quickly, minimize business disruption, and limit the blast radius.
What does this recovery actually look like in practice?
Entra ID recovery needs to be granular. After an attack, you may need to restore specific user attributes that were modified, such as a job title, department, or group membership, without overwriting everything else. You may need to roll back application registrations, remove rogue service principals, or restore deleted users while blending your backup data with whatever short-term retention Microsoft still has available. A manual recovery at this level doesn’t scale, and the object relationships alone make it impractical without purpose-built tooling.
Microsoft 365 recovery needs to reach every layer, including individual emails, specific OneDrive files, entire mailboxes, SharePoint sites, their permissions, and Teams data. It needs to support flexible restore options too, including back to the original location, to an alternate location, or downloaded directly for forensic purposes.
SaaS recovery, such as restoring deleted Salesforce records or modified account data, needs to sit within the same unified workflow. When an attacker pivots Entra ID into Salesforce via SSO, your recovery can’t stop at Microsoft.
Audit log preservation is often overlooked but critically important. Entra ID sign-in logs and audit logs capture who signed in from where, what changes were made, and what applications were accessed. Microsoft retains these for 30 days by default. If a breach is discovered 90 or 200 days later, however, those logs are gone. An independent backup that retains them indefinitely gives your security team, forensic investigators, and potentially your cyber insurance provider the evidence trail they need.
Veeam Data Cloud was built to address this recovery problem. It is a unified, subscription-based platform that protects Entra ID, Microsoft 365, Salesforce, and other workloads from a single interface, with granular restore capabilities, immutable encrypted storage, and advanced threat detection that monitors for anomalies in backup data in real time.
FAQs
Can Microsoft recover my Entra ID if it’s compromised?
Microsoft provides limited and short-term recovery capabilities, typically a recycle bin for recently deleted objects with a retention window of around 30 days. There is no native capability to restore specific object properties (like modified user attributes), recover application registrations at a granular level, or restore data beyond that short retention window. For a comprehensive recovery, an independent backup solution is required.
What’s the difference between Microsoft’s built-in retention and independent backup?
Microsoft’s built-in retention is designed for accidental deletion scenarios within a short timeframe. It is not designed for recovering from a sustained attack, restoring configurations that were modified rather than deleted, or preserving audit logs for forensic purposes beyond 30 days. An independent backup gives you a separate, immutable copy of your identity and data estate that sits outside the compromised environment, which is exactly what you need when the environment itself has been breached.
How do identity attacks lead to SaaS breaches like Salesforce?
Entra ID controls single sign-on for most enterprise SaaS applications. When an attacker gains sufficient access to an Entra ID tenant, they can enumerate all enterprise applications that are configured for single sign-on, add their own account to any of those applications, and authenticate directly as a legitimate user without ever touching Salesforce’s own security controls. The breach of Entra ID is the breach of everything connected to it.
What should I back up to recover from an identity attack?
At minimum: All Entra ID objects (users, groups, roles, application registrations, service principals), Microsoft 365 data (Exchange, OneDrive, SharePoint, Teams), Entra ID sign-in and audit logs, and any SaaS applications connected via single sign-on that contain business critical data. The audit logs in particular are frequently overlooked, but they’re are your forensic record of what happened and when.
How quickly can an attacker move after gaining an OAuth token?
Extremely quickly. With a valid OAuth token of a user with adequate access permissions, an attacker can enumerate your entire user directory, access data across multiple users’ mailboxes and OneDrives, install persistence mechanisms, create rogue admin accounts, and pivot to connected SaaS applications, all within a single session. This is not a slow, methodical breach. It is rapid, and the window for detection before significant damage is narrow.
See the Attack (and Recovery) for Yourself
If you want to see exactly how this unfolds in a real environment, I ran a live product demo that walks through the full scenario I described in this post. It covers the watering hole attack from initial lure to rogue admin creation, lateral movement into Salesforce single sign-on, and then the complete recovery workflow inside Veeam Data Cloud including Entra ID, Microsoft 365, and Salesforce, all from a single interface.
The on-demand recording is available here: Under Attack: Simulating, Surviving and Restoring from an Identity Threat
It runs about 50 minutes and is worth watching with your team, particularly anyone who owns the identity or backup conversation in your organization.
Treat Identity Like Infrastructure
You already back up your VMs, you already have recovery plans for your file servers and databases, and you treat those systems as infrastructure: critical, recoverable, protected.
Your Entra ID tenant is infrastructure. Your Microsoft 365 environment is infrastructure. The identity layer that controls access to every system in your organization is infrastructure. It deserves the same level of protection, the same recovery planning, and the same independent backup strategy you apply to everything else.
Identity attacks are happening at scale, they are accelerating, and they will affect your organization. The question is whether you’ll be in a position to recover cleanly when they do, or whether you’ll be rebuilding from scratch, without logs, without granular restore points, and without the independent copy that sits outside the compromised environment.
The time to answer that question is before the attack, not after.
