Q&A: Microsoft VP Alex Simons On Evolving Identity-Based Threats And The Future Of IAM

As identity-based threats continue to evolve, organizations face mounting challenges in safeguarding access to critical systems and data. Attackers are adapting rapidly, leveraging techniques like adversary-in-the-middle attacks to compromise even multi-factor authentication systems.

“Microsoft observes over 600 million identity-based attacks daily, emphasizing the critical need for organizations to secure their identity infrastructure and enforce robust least privilege access controls,” says Alex Simons, Corporate Vice President for Identity and Access Management at Microsoft.

Simons is responsible for the Product Management and Security Engineering for the Entra suite of Identity and Access Management service. In his spare time, he coaches competitive club and college volleyball.

In this Q&A, Simons delves into the shifting threat landscape, how Microsoft Entra ID tackles these challenges with its Zero Trust approach, and the IAM trends and priorities organizations must prepare for in 2025.

Q. What are the biggest challenges facing organizations in the IAM space today and how are identity-based threats evolving?

The biggest challenges organizations face in the Identity and Access Management (IAM) space today stem from the rapid evolution of identity-based threats. As organizations increasingly adopt multi-factor authentication, attackers are adapting their techniques to use more sophisticated phishing attacks that leverage adversary in the middle techniques that fool users into completing SMS and pushed based authentication so the attacker can steal that user’s identity tokens. Microsoft observes over 600 million identity-based attacks daily, underscoring the sheer scale of this issue.

Another significant trend is the exploitation of identity infrastructure as a foothold for broader network compromise. Adversaries increasingly focus on applications that manage access to sensitive resources, leveraging them as gateways to privileged accounts and critical data. This underscores the importance of securing these applications and enforcing least privilege access controls to limit the potential impact of a breach.

Q. How does the Microsoft Entra ID platform help to teams address these challenges, and how do you differentiate yourselves from competitors?

Attackers targeting identity systems often leverage misconfigurations and vulnerabilities. Entra ID mitigates these risks by providing customers pre-configured security policies and best practices through our unique Secure Defaults and Microsoft Managed Policies programs.

These programs give customers Microsoft-vetted security policies that adhere to our Zero Trust Architecture principles. These pre-configured policies for features like Conditional Access and phishing-resistant authentication eliminate misconfiguration issues and unrecognized gaps to ensure that only verified users and devices gain access to critical systems.

Entra ID is also unique in our open standards-based approach to providing phishing-resistant authentication methods, including passkeys. Microsoft has been a leader in phishing resistance since launching Windows Hello, the industry’s first open standards, biometric, phishing-resistant approach to authentication in 2015.

Since 2015 we have worked tirelessly with our partners at Apple, Google, and in the FIDO alliance to bring this same set of open standards-based phishing-resistant capabilities to the MacOS, iOS, and Android operating systems.

Q. What are your top recommendations for CISOs in the process of looking for an Identity and Access Management solution?

When selecting an Identity and Access Management solution, CISOs should prioritize solutions that are open standards-based and align with a Zero Trust security model, including continuous identity verification and adaptive access controls that use real-time threat intelligence to make dynamic access decisions.

Comprehensive visibility across identities, endpoints, and networks is essential, while seamless integration across the complete set of enterprise security tools enhances detection, response, and policy enforcement. These capabilities collectively establish a resilient trust fabric, securing access in today’s complex threat landscape.

Q. What trends do you expect to see in the IAM space in 2025?

We expect two major trends in 2025. The first being the mainstream adoption of phishing-resistant authentication based on open standards-based passkeys, a shift that will dramatically improve the security of billions of user accounts. 

The second will be the continued use of AI by both attackers to craft increasingly sophisticated attacks, for example phishing emails that are nearly impossible for users to differentiate from normal email and by defenders who will use AI to be able to quickly differentiate between real attacks and false alarms, to automate and shorten their response times and to quickly design, test, and deploy updated security policies designed to protect against the latest threats.

Q. In your view, what should organizations’ top IAM planning priorities be for 2025?

Our recommendations to our customers in 2025 are straightforward:  

1. It’s time to urgently test and deploy unphishable authentication methods at scale as they are the only way to protect your organization from increasingly indistinguishable AI-based phishing attacks.
   
2. Continue to follow a Zero Trust architectural model, including developing plans to create and automatically govern a “least privileges” approach to access.
   
3. Begin experimenting with the use of next GenAI-based automation and analysis to enable your security and identity professionals to scale in the world of increasing attack volumes.

Further reading

• Learn more about Microsoft Entra
• Read our guide to the Top Identity and Access Management Solutions