The Risks to Updating Passwords on Microsoft 365

Written by Brandon White on September 29, 2020

Share This Article

Microsoft 365®  is a powerful suite of productivity applications that companies offer their employees. Many of us are familiar with longstanding Office applications like Word, Excel, and PowerPoint. Beyond the Office apps, Microsoft 365 also enables end users to manage email, chat, schedule and host meetings, and store files.

With more than one million companies using the Microsoft 365 suite of apps, IT administrators and managed service providers (MSPs) must find ways to protect their end users’ core identities, especially when it comes to updating passwords. As adoption of M365 continues to grow, the more identity management challenges IT organizations must mitigate.

In this article we uncover the risk of updating passwords on Microsoft 365, and present a new approach to securing a user’s core identity.

The Risk: Compromised Credentials

In order to access M365 applications, users must create and then update passwords on an external website (Microsoft’s site). In other words, employees are inputting important login credentials on a third party site. This action poses a big concern for IT admins: getting hacked. 

Today’s sophisticated hackers now target this concept of updating passwords on external sites. How it works:

  • A hacker sends an end user a very legitimate-looking email that prompts users to change their password.
  • The end user clicks on a link from that email and is then redirected to a fake site that is run by the hacker.
  • The end user believes they are visiting the M365 site as they intended and enters their login credentials. 
  • The hacker captures the end user’s personal credentials. 

The result: compromised credentials.

This act is known as phishing. A hacker tricks an end user into providing their login credentials, on an external site, by sending a legitimate-looking email with a malicious link. The end user believes they are following the proper protocol by their IT admin or MSP and is totally unaware that they have just given away their personal credentials.

As you can imagine, the risk to IT orgs and MSPs is significant. Where do we see the most risk?  Core Microsoft applications that govern email. Compromised credentials by way of phishing are the main reason the risks to updating passwords on Microsoft 365 are so high.

The landscape of hacking, including phishing techniques, is ever expanding. And although it may not be the most exciting work, preventing compromised identities is a top priority for IT admins and MSPs. IT professionals and MSPs know that identity management across applications, like M365, can be a major vulnerability for their end users and clients. But securely managing identities is a tough nut to crack. Therefore they are constantly looking for new solutions and ways to fight against phishing attacks. 

A Better Alternative: Device-Based Management

If you’re looking for a better alternative approach to security identities, you are in luck! There is in fact a new approach that can protect M365 end users against the chances of being compromised. 

The alternative is to simply change your core password on your secure device using a native, OS-based application rather than an external website. This ensures that the password update is done securely rather than the other option that risks compromised identities via a phishing attempt or fake site.

The benefits of this approach are unparalleled. Some of these benefits include:

  • Core email accounts — which end up controlling many other services – can be safer ensuring that downstream compromises don’t happen. 
  • The core identity can be federated to a wide range of IT resources – not just M365. 
  • A password update on a machine can be used to update machine credentials, M365, WiFi / VPN access, other applications, and more.

A core cloud directory platform is exactly what JumpCloud® offers to make this approach a reality. By leveraging a cloud directory platform, IT admins can eliminate the risks involved in password updates on M365. With JumpCloud, IT organizations can federate a core identity to virtually everything that users need to access.

Wondering how JumpCloud and M365 work together? IT orgs can leverage JumpCloud’s native, API-based integrations with M365 to manage the identities of those critical employee services. Provision new user accounts or import and manage previously existing ones to ensure they are bound to and governed by your core directory, JumpCloud.

Learn More

To see for yourself, feel free to drop us a line, or schedule a guided demo of our platform. JumpCloud Free allows you to manage 10 users and 10 systems, with 10 days of premium in-app chat support. Sign up today.

Brandon White

Brandon is an enthusiast, solutionist, and JumpCloud’s Technical Evangelist, active in journalism and IT in cities across the US for over 25 years. Pick his brain on Slack in the JumpCloud Lounge:

Continue Learning with our Newsletter