Protecting a Perth firm's identities in the AI era with Conditional Access

The challenge

A 35-person professional-services firm in the Perth CBD came to us anxious about identity theft in the AI era. Their leadership had read how AI is making phishing and social engineering dramatically more convincing, and they had realised their traditional antivirus — fine against known malware — did nothing to stop an attacker who simply steals a staff member's credentials and signs in as a legitimate user. With phishing now behind a large share of Australian cyber incidents, they wanted protection built around identity, not just the endpoint.

What we did

We implemented a layered identity-protection strategy centred on Microsoft Entra Conditional Access. Sign-in and session-risk policies now evaluate every authentication in real time — blocking risky sign-ins, requiring compliant and recognised devices, restricting access to expected locations, and enforcing MFA on all users. To stop session-token theft we added continuous session validation, anomaly detection and automatic re-authentication or sign-out when behaviour looks suspicious. We layered on Azure Identity Protection, privileged access management with time-limited admin elevation, and passwordless sign-in (FIDO2 security keys and Windows Hello) to take stealable passwords out of the equation entirely.

The outcome

The firm moved from a single antivirus layer to enterprise-grade identity security in four weeks — assessment, design, rollout and tuning. Every account is now covered by MFA, sessions are monitored with automatic threat response, and passwordless sign-in has effectively closed the credential-theft door, cutting phishing's success rate by around 95%. The controls also brought the firm in line with the ASD Essential Eight and satisfied modern cyber-insurance requirements, giving leadership the confidence to operate — and to show their own clients — that data stays protected as AI-era threats evolve.

Services involved