After a series of embarrassing security issues over the last couple of years, in 2024 Microsoft launched the Secure Future Initiative (SFI), with the tagline “Security above all else.” SFI was billed as a truly comprehensive, top-to-bottom evaluation of every part of Microsoft’s security posture, including people, processes, and technology. The goal of SFI is simple: improve every aspect of their physical, information, supply chain, and service delivery security. Performance evaluations and compensation are now (supposed to be) tied to security performance, too, a time-tested tactic for helping people focus on desired topics by giving them financial incentives.
But is SFI working? It’s difficult to say from the outside, but as part of the SFI announcement, Microsoft committed to releasing quarterly progress reports. In mid-August 2025, they publicly released the April 2025 quarterly report, and it has some interesting stuff, both to help you understand what’s happening with SFI but also to identify some areas where you might use Microsoft’s experience to drive your own security improvements.
A Word of Caution
Before we dig too deeply into the report, I should point out that a lot of what Microsoft has done is specific to their environment. Senior executives and junior administrators share a bad habit of wanting to copy what Microsoft does in their own environment; people in between are more likely to recognize that Microsoft’s policies and deployments are suited to their particular organization and may not be universally applicable. So, for example, when you read that Microsoft has deployed “an automated lifecycle management solution for all Microsoft Entra ID applications in the production environment” (page 6), that doesn’t necessarily mean that you should do the same. Your budget of money, time, and attention for security improvements is probably smaller than Microsoft’s, so it’s critical to pick the most important areas to spend it on.
A Few Highlights
The report itself is 28 pages, so of course I can’t summarize all of it here. However, it’s worth highlighting a few notable accomplishments:
- Shipping the linkable identifiers feature for Entra ID, so that you can correlate every action taken after a single authentication event. Issuance of refresh or access tokens, requests for resource access, and access control failures can all be traced back to the original authentication. This is a big improvement because it drastically reduces the work of tracing what an attacker did, or tried to do, after initial authentication, and it’s something you can and should take advantage of in your own threat hunting and investigation work.
- 92% of “employee productivity accounts” (as opposed to service accounts, accounts for access to automated systems, etc) are protected with phishing-resistant MFA. This is good progress, and phishing-resistant MFA is an appropriate technology for almost every organization; you should consider deploying it if you haven’t already.
- Microsoft claims significant progress in removing excess access privileges. For example, they have “reduced access to code signing services” and “significantly reduced the number of members in admin roles in our engineering system.” (page 21) An attacker can’t compromise accounts that don’t exist, so reducing the total number of both privileged and regular accounts is a good thing.
The entire report is worth reading because it contains a lot of less-noticeable items that are still significant. Microsoft has clearly invested a large amount of time, money, and brainpower in moving SFI forward.
What You Can Do
Out of all the things Microsoft is doing, a few stand out as things that are broadly applicable to other organizations. If I were going to select N things for you to take as actions for your own organization based on what Microsoft’s doing, taking into account that all of us have smaller budgets and staffs than they do, here’s what I’d pick.
First, get rid of legacy systems and protocols whenever possible. If you have a service or device that is past its end of life, replace it. If you have Windows 10, Exchange 2016 or Exchange 2019, or other products that are at or near the end of support, replace them. I mention this first because it often takes a long time to complete this process, starting with convincing your executive management that it’s a good idea. Removing or blocking outdated devices and protocols is an ongoing process, but it’s never too late to start (or accelerate).
Second, consider that an attacker who can’t authenticate can’t do much to hurt you. Increasing the percentage of your accounts that are protected with phishing-resistant MFA will help harden your environment significantly. Even if you can’t use phishing-resistant MFA everywhere, applying it to high-value accounts (your CEO, for example, and of course all global admin accounts) will provide valuable extra protection for a relatively low cost.
Third, take a page from Microsoft’s playbook and “accelerate vulnerability mitigation”… which sounds really vague. When they say it, the phrase means they are improving the speed at which they detect and fix vulnerabilities in their products and services (e.g. by fixing zero-day issues in Windows, or potential exploits in cloud services). When you say it, it should refer to your efforts to improve
