When it comes to identity security in Microsoft 365, the landscape is often unclear, especially when some vendors lean into half-truths or selectively presented data to market their products.
At Huntress, we prioritise clarity and accuracy in security guidance. To that end, we are addressing several prevalent misconceptions surrounding Microsoft 365 and identity security. Assertions such as “logins represent only two per cent of the data” or “multifactor authentication eliminates the need for additional protections” are typical examples of these myths. The following section provides a concise, factual breakdown to help organisations navigate these issues with greater confidence.
Myth 1: Huntress only looks at logins in Microsoft 365
Truth: Logins are just the tip of the iceberg.
Yes, login events are important, but they’re far from the only signal Huntress Managed ITDR pays attention to. Our telemetry includes signals from Azure Active Directory and Microsoft Exchange, covering a range of events from group membership changes and role escalations to suspicious inbox rules and mailbox permission updates.
In fact, while login events help us spot the early stages of compromise mailbox events often give you the downstream context, like malicious inbox rules. But we’re not stopping there. We’re actively expanding into Microsoft SharePoint, OneDrive and additional Microsoft event categories to make sure defenders have visibility across the entire kill chain. We also detect Rogue Apps (malicious OAuth applications), which is a new form of telemetry that we build from disparate data sources floating around the average tenant.
Myth 2: Conditional Access policies are all you need
Truth: Conditional Access is powerful but also fallible.
Microsoft’s Conditional Access capabilities offer impressive granular control. You can block logins from specific geographies, require device compliance, enforce strong MFA and more.
However, these controls sill require correct configuration. We’ve found that 24 per cent of P1 license holders and nine per cent of P2 license holders don’t configure Conditional Access policies. And misconfigurations are more common than you’d think. One misplaced exception or oversight can create unintended security gaps.
Even experienced administrators can encounter configuration pitfalls. That’s why Managed ITDR doesn’t rely on your Conditional Access being perfect. It assumes attackers are looking for cracks in your policies and detects behaviour that slips through.
Conditional Access provides a strong baseline, but Huntress delivers the additional detection and context required to identify what slips through.
Myth 3: If you have MFA, you’re safe
Truth: MFA is no longer the bulletproof vest it once was.
Just because your users are prompted for a second factor doesn’t mean they’re immune to attacks. We regularly detect attackers bypassing MFA entirely by stealing session tokens, authenticating as the user, skipping the challenge, and setting up shop unnoticed.
Huntress Managed ITDR is purpose-built to spot these tactics, catching what traditional MFA-based defences miss. Because a “successful login” does not always equate to legitimate authorisation.
Myth 4: You must detect Impossible Travel
Truth: Detecting based on velocity is useful, but not required.
Identifying scenarios such as a suer appearing to log in from Florida and then France within minutes can be valuable. But focusing solely on Impossible Travel scenarios creates blind spots, especially for attackers using residential proxy networks or cloud hosts to spoof realistic locations. Additionally, deprioritising impossible travel detections reduces unnecessary noise. Location itself is a useless data point without taking into account the other kinds of client address technologies like data centre or VPN.
We give our partners the flexibility to track travel anomalies where relevant, but we don’t hinge our entire detection logic on it. Instead, we look at the whole picture: session behaviours, app consent activity, inbox manipulation, role escalations and more.
Myth 5: No tuning = less noise. That’s a good thing
Truth: One-size-fits-all security rarely fits anyone well.
Some vendors position a “lack of customisation” as an advantage; however, at scale, operational environments differ significantly, and contextual awareness becomes critical.
Huntress partners can customise what counts as expected versus unauthorised access, set travel rule exceptions and suppress alerts based on their needs. Configuration is optional but organisations managing large identity estates across diverse tenants benefit from having that flexibility.
Our experience has reinforced this approach. The first iteration of Managed ITDR had little to no customisation, but over time, scale taught us how mandatory customisation actually is for reducing noise and increasing efficacy. We believe thoughtful tuning reduces false positives and empowers you to make smarter decisions faster. No alert fatigue, no cookie-cutter detections. Just flexible, context-rich security that scales.
Final forecast: Less fog, more facts
In a world of “cloudy truths” and buzzword-laden marketing, it’s easy to get swept up in vendor claims that sound impressive on the surface. But the real question is simple: can they detect real threats, in real time, with real context, and help you respond before damage is done?
Huntress Managed ITDR was built to do exactly that. We see what others miss, deliver high-fidelity detections with human-backed response, and give you the flexibility and clarity you need to defend identities in a constantly shifting threat landscape.
Erin Meyers is principal product marketing manager and Dave Kleinatland is principal product researcher at Huntress