Chasing Chipmunks: One Big Pro Tip for Identity in M365 Disaster Resilience -- Virtualization Review

Chasing Chipmunks: One Big Pro Tip for Identity in M365 Disaster Resilience

By David Ramel
07/30/2025

When it comes to disaster-proofing Microsoft 365, many organizations focus on backup and failover. But during a recent tech-ed summit put on by Virtualization & Cloud Review, expert presenters John O'Neill Sr. and Dave Kawula made the case that disaster recovery starts with something far more fundamental: identity.

Their session, titled "How To Make Microsoft 365 Fail-Proof: Modern Strategies for Resilience," covered a broad range of real-world Microsoft 365 continuity tactics, from backup immutability to hybrid recovery models. But one theme ran underneath nearly every topic: identity is the single point of failure for the entire Microsoft 365 service stack. Azure AD (now Microsoft Entra ID) connects everything from Exchange to SharePoint to Teams--and if attackers get in at the identity layer, the rest of the stack can fall like dominoes.

"If you don't have MFA enabled on every single admin account... then you need to do that 100% across the board, except for your break glass account."

John O'Neill Sr., Azure Innovators

The cybersecurity experts' session was part of a July 30 (today) three-session online summit sponsored by Veeam, "How To Make Microsoft 365 Fail-Proof: Modern Strategies for Resilience," now available for on-demand viewing.

As O'Neill Sr. put it in an animal-themed metaphor, "If you have a compromise in your identity and access management system, you've lost. You've already lost, right, because now they're in and moving around, and you're chasing the chipmunk." He's a 30-year veteran of the IT industry and multiple Microsoft MVP, and his co-presenter Kawula is the founder and Managing Principal Consultant at TriCon Elite Consulting and also a Microsoft MVP, so they have seen their share of chased chipmunks.

For reference, here's the full chipmunk quote from O'Neill Sr.:

"We're not trying to make it a pain, but as I always say, Dave, if you have a compromise in your identity and access management system, you've lost. You've already lost, right because now they're in and moving around, and you're chasing the chipmunk. And for those that haven't heard me, use that analogy. So if you have a chipmunk running around inside your house, and all you're doing is trying to chase it. You are in an exercise of futility. You will never catch that squirrely little chipmunk. And yes, I use that pun intended, but if you start narrowing the area, it has to move, locking doors, shutting them down so that they're confined to a single room. Now you have a much better chance of catching the chipmunk, right? So the best scenario is, don't let a chipmunk in your house, right?"

The Pro Tip: MFA for Every Admin (Except One)

Midway through the session, O'Neill Sr. framed a direct call to action as something attendees could implement immediately regarding Multi-Factor Authentication.

"You and I always like to give attendees of our sessions, you know, pro tips that they can take and do something with immediately, right after our session," he said to his partner Kawula. "And I'm going to throw one out there right now, and that is: If you don't have MFA enabled on every single admin account in your organization on-prem admin, domain admin, global admin, whatever it is, then you need to do that 100% across the board, except for your break glass account".

"You plan for the failure. You hope the failure doesn't happen. But when you're building disaster recovery solutions, you are planning for the failure."

Dave Kawula, managing principal consultant, TriCon Elite Consulting

That "break glass" account, he said, should be treated like the crown jewels of your organization. O'Neill Sr. described his own implementation as follows: "I randomized the password and put it on a piece of paper in a sealed envelope and give it to the CEO or CIO and CSO, in some cases, and they have it put in a lock box with other critical information. And anybody that wants to use that break glass account has to go through that chain all the way at the sea level to get it out of the lock box and get access to it."

The recommendation wasn't hypothetical. The speakers cited multiple cases where attackers gained initial entry through weak or unprotected administrative accounts. One example was Ubiquiti, which suffered millions in damages after an insider exfiltrated data using a single compromised global admin account.

Don't Let the Chipmunk In

MFA was just one layer in a broader framework of Identity and Access Protection presented in the session. Kawula pointed out that many tenants created years ago are still configured with defaults that lack modern controls, making it easy for attackers to move laterally once inside.

"Conditional access policies only just recently started to become mandatory for Microsoft to lock down," Kawula said. "And with that, we can enforce things like multi factor authentication. We can take and have country blocks. You can have ID blocks. That is an absolute monster."

O'Neill Sr. tied this to a principle of Zero Trust: assume breach, and plan as though the attacker is already inside. "The best scenario is, don't let a chipmunk in your house, right? Have good, solid Identity and Access protection, and this involves things like the FIDO2 keys. And I'm a big fan of of passwordless now".

Additional Identity and Access Protection Tactics

The spent much time discussing "Identity and Access Protection," outlining several adjacent strategies that go hand-in-hand with MFA. These were expanded upon in the discussion and are summarized here for quick reference:

**[Click on image for larger view.]** IAP

Passwordless authentication: O'Neill Sr. praised the modern FIDO2-based approach that doesn't rely on physical keys. "I do a lot of consulting work on passwordless technologies because it gives us the benefits of a Fido to key without the physical key being necessary."
Risk-based sign-in policies: These enable automated responses based on behavioral context, such as geography or device risk levels.
Guest access governance: The session emphasized the importance of tightly controlling guest permissions, particularly in Teams and SharePoint.
Service account security: O'Neill distinguished between "user accounts being used to run a service" versus true managed service accounts, highlighting JP Morgan's success in eliminating service account compromises by implementing cert-based auth, auto-rotation, and group-managed identities.

Final Thoughts

With ransomware, business email compromise, and insider threats all increasingly targeting identity as the weakest link, the speakers agreed on one clear takeaway: the best way to recover from a Microsoft 365 disaster is to prevent one in the first place. And that starts with ensuring that no admin--except one highly protected break-glass account--is left without MFA.

As O'Neill Sr. said during the session, "Security is not a matter of convenience."

And More
Kawula and O'Neill Sr. had a lot more expert advice to share on identity and offered much discussion about other topics in their complete presentation, and an on-demand replay is definitely in order. And, although replays are fine -- this was just today, after all, so timeliness isn't an issue -- there are benefits of attending such summits and webcasts from Virtualization & Cloud Review and sister sites in person. Paramount among these is the ability to ask questions of the presenters, a rare chance to get one-on-one advice from bona fide subject matter experts (not to mention the chance to win free prizes -- in this case a $300 Best Buy gift card from sponsor Veeam, a leader in disaster resilience, which also presented at the summit).

With all that in mind, here are some upcoming webcasts coming up from our parent company in the next month or so: