Business | January 13, 2026 5 min to read

Identity in 2025: Lessons Learned and What Comes Next in 2026

Kendall Gray Kendall Gray

For years, security leaders have warned that “the perimeter is obsolete.” In 2025, the rise of AI and identity as a new attack surface confirms something even more consequential: The perimeter did not disappear; it only moved. Today, the perimeter is identity.

Every employee, application, service principal, device policy, and access rule now defines an organization’s exposure. Backed by insights from more than 100 trillion daily security signals, the Microsoft Digital Defense Report has become one of the most authoritative views into how modern cyberattacks actually unfold. Its latest findings make one thing unmistakably clear: Cyber risk is no longer confined to IT. Rather, it’s an enterprise risk that belongs in boardroom discussions.

In this blog, we take a look back at how the identity threat landscape has changed across 2025, and outline why identity-first resilience across IAM solutions such as Microsoft Entra ID and SaaS platforms will define security strategies going into 2026.

TLDR: The 2025 Identity Shifts You Cannot Ignore

  • Attackers are no longer breaking in, they’re logging in. Stolen credentials and trusted access paths allow adversaries to blend in as legitimate users.
  • Identity attacks are accelerating rapidly: Microsoft reported more than 600 million identity-based attacks per day in 2024, followed by a 32% increase in the first half of 2025.
  • Cloud environments are under direct attack: Campaigns are designed to disrupt cloud workloads through mass deletion, and ransomware has increased by 87%.
  • AI is amplifying social engineering at scale: AI-generated phishing campaigns achieved click-through rates as high as 54%.
  • Identity-first data resilience is no longer optional: 2025 showed that prevention alone is insufficient, making recovery speed across identity and cloud workloads a critical security metric.

It’s No Longer a Hack; It’s a Login.

One of the most important shifts between the 2024 and 2025 Digital Defense Reports is the behavior of attacks. Bad actors have learned that exploiting trust is easier than exploiting infrastructure.

Instead of breaching firewalls or deploying malware, attackers now manipulate users and help desks. Techniques such as device code phishing and ClickFix prompts exploit familiar authentication workflows. Victims are tricked into completing legitimate login actions on behalf of the attacker.

Because these attacks rely on valid credentials, tokens, and approved access paths, they often evade traditional security controls. From a detection standpoint, nothing appears abnormal. From a business standpoint, everything is already compromised.

Once attackers establish an identity foothold, they then move laterally across your organization’s most critical workloads like Microsoft 365, Salesforce, and other connected SaaS platforms. The 2025 report highlights the fact that more than 40% of ransomware attacks now involve hybrid components, which enables attackers to traverse on-premises and cloud environments while targeting recovery paths.

This is one key reason why protecting Microsoft Entra ID configurations is no longer merely a best practice; it’s a requirement. For more information on why Entra ID data protection is a critical need for all organizations, read our whitepaper, 6 reasons for Entra ID Backup.

Accelerated by AI: Social Engineering as the Primary Entry Point

Microsoft continues to report that identity-based attacks remain the dominant entry vector, with social engineering at the center of most successful compromises. What has changed is its scale.

In 2025, attackers increasingly used AI to generate phishing emails, impersonation scripts, and real-time social engineering prompts that are more convincing and more difficult to detect. AI-generated phishing campaigns reached click-through rates of up to 54 percent, which has dramatically increased attacker efficiency.

These techniques do not rely on technical flaws. Rather, they rely on human trust. Even trained users eventually make mistakes, especially when interactions appear legitimate and time sensitive.

From a resilience perspective, this shifts the security conversation too. Prevention alone is not enough. Organizations must assume that credentials, sessions, and identity objects will be compromised and ensure they can recover quickly when that happens.

Malicious OAuth Applications: Trusted Access That Persists Undetected

Rather than repeatedly stealing credentials, attackers register or compromise OAuth apps that request legitimate permissions. Once approved, these applications can maintain persistent access without triggering multi-factor authentication (MFA) challenges or frequent reauthentication. In many cases, access remains active long after the initial compromise.

OAuth abuse is especially dangerous because permissions often extend beyond a single platform. A malicious application can provide API-level access to Microsoft 365, Azure resources, Salesforce, and other SaaS platforms that are connected through identity federation.

From the attacker’s perspective, OAuth abuse enables:

  • Long-lived access that survives password resets.
  • Visibility into large volumes of business data.
  • Lateral movement across SaaS environments without malware.

For an organization, removing the application stops future access but does not address the damage already done. Data may have been exfiltrated, modified, or deleted across multiple platforms.

This is where identity resilience must extend beyond Entra ID itself. When identity is the control plane for SaaS access, recovery must include the downstream workloads that identity enables.

Non-Human Identities: The Fastest Growing and Least Governed Risk

The 2025 Digital Defense Report also draws attention to the growing role of non-human identities, including service principals, managed identities, applications, and automation accounts.

In many organizations, non-human identities now outnumber human users. These identities often have broad permissions, limited visibility, and long lifespans. They are also rarely protected by MFA and are frequently exempt from standard monitoring. To learn more about best practices for managing non-human identities and other over provisioned accounts, read our blog on Identity Management.

Attackers target these identities because they offer high-impact access with low scrutiny. When a service principal or application identity is compromised, the blast radius can span Azure resources, SaaS platforms, and administrative operations. Since non-human identities behave programmatically by design, malicious activity often blends in with normal automation traffic.

When protecting your Identity and Access Management (IAM) solutions such as Microsoft Entra ID, be sure to find a solution that covers applications, service principals, roles, and related identity objects. This enables organizations to restore identity configurations and permissions when non-human identities are abused, deleted, or misconfigured.

Why Identity Resilience is Now a Boardroom Issue

When identity fails, business operations stops. Access can be lost, security controls can collapse, and productivity halts.

Microsoft’s Digital Defense Report recommends managing cyber risk at the board level, treating it with the same seriousness as financial or regulatory risk. When identity compromise leads to an 87% increase in cloud disruption, recovery speed becomes a critical business metric.

Boards must ask a critical question: How fast can we recover our identity environment if it is compromised? If recovery depends on days of manual rebuilding, the risk profile is unacceptable.

Enabling Identity-First Resilience with Veeam

The Entra ID Shared Responsibility Model notes that while Microsoft covers the availability of the Entra ID service, the data, configurations, and policies within each tenant still remain the customer’s responsibility.

Veeam Data Cloud for Microsoft Entra ID addresses this gap by delivering backup and recovery for:

  • Users, groups, and roles.
  • Applications and service principals.
  • Conditional access policies.
  • Microsoft Intune policies.
  • Audit and sign-in logs.

When paired with SaaS platform protection such as Microsoft 365 and Salesforce, organizations gain resilience across both the identity control plane and the data it governs. This future-proof protection strategy ensures that identity attacks become recoverable and relatively routine operational events rather than business-ending crises.

To learn more about what Veeam Data Cloud for Entra ID, click here.

Kendall Gray
Kendall Gray
Kendall Gray is a Product Marketing Associate at Veeam. She is responsible for ensuring a strong understanding of technical value while communicating the importance of data resilience. She is passionate about expanding and sharing her knowledge, and enjoys exploring the intersection between technology and storytelling. Outside of work, she loves music and theatre, and plans on traveling the world.
More about author
Previous post
Table of Contents
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
OK