News
Jan 20, 2026
It usually starts with a single login.
A user signs into their Microsoft 365 or Google Workspace account from home. The login screen looks exactly as it should. They enter their credentials, receive a familiar MFA prompt, approve it, and are redirected to their inbox without noticing anything unusual. Everything feels routine.
Behind the scenes, an attacker has inserted themselves between the user and the real login page. Through an Adversary-in-the-Middle (AiTM) phishing page, the attacker captures the user’s credentials and the authenticated session token at the same moment the user signs in. The attacker does not need to guess a password or trigger suspicious alerts. They simply reuse the stolen session to access the account as if they were the legitimate user.
For SMBs, this is now the most common breach path.
And for MSPs who protect them, the identity problem is becoming harder to ignore.
Despite years of awareness campaigns, most SMBs still rely on a single Google or Microsoft password to protect their entire business. While most enterprises layer multiple Identity and Access Management (IAM) controls around their identity providers, SMBs are far more likely to rely on default configurations. This turns identity into a single point of failure that attackers understand and actively exploit. Password theft, session hijacking, and automated phishing-as-a-service platforms have made identity the #1 SMB breach vector — a trend supported by internal reports and industry data that consistently point to compromised credentials as the entry point for more than half of all cyber incidents.
This is the quiet crisis MSPs now face: a strong password and traditional MFA, without additional IAM controls, no longer provide enough protection.
To understand why, we need to look at how identity attacks have evolved.
The Rise of Identity-Based Attacks Against SMBs
A decade ago, most cyberattacks targeted servers, endpoints, or network devices. Today, attackers target something far simpler and far more scalable: human authentication behaviors.
Identity has become the new perimeter — and the new battleground.
Below are the core identity threats that now define the SMB risk landscape.
Session Hijacking and AiTM: Breaking in Without the Password
Attackers no longer need to break a password to access an account. In many cases, they simply take over the user’s session instead. Session hijacking has become one of the most effective ways to bypass authentication because it lets attackers reuse a verified login rather than try to force their way through.
Adversary-in-the-Middle (AiTM) is the most visible example today. Instead of defeating MFA directly, AiTM attacks intercept the authentication flow through a reverse proxy, capture the verified session token, and let attackers log in as the user without triggering alerts or additional prompts. This technique has become common in phishing-as-a-service kits because it scales easily and requires no malware.
But AiTM is only one method. Session hijacking and token theft can also occur through compromised browsers, malicious extensions, infected devices, or stolen cookies. Once an attacker obtains a valid session token, they can access the account under the user’s identity until the session expires or is revoked.
For MSPs, this makes session protections and contextual authentication essential. Even strong passwords and traditional MFA can’t prevent attackers from reusing a stolen session if no additional controls are in place.
MFA Fatigue Attacks: Turning Security Into a Weakness
MFA was supposed to solve password theft — until attackers learned to exploit human behavior.
With MFA fatigue attacks, threat actors bombard a user with push notifications until they approve one out of frustration, habit, or confusion. SMB employees, who often lack security training, are particularly vulnerable.
This is why MFA alone no longer qualifies as “strong authentication.” It’s only strong when used within a broader IAM strategy.
Phishing-as-a-Service (PhaaS): Enterprise-Grade Attacks Sold as Subscriptions
Phishing attacks are no longer run by individual hackers — they are run as services.
Subscription-based cybercrime kits now offer:
Automated credential harvesting
MFA interception
Reverse-proxy login pages identical to Microsoft/Google
One-click deployment of phishing websites
These tools are built for scaling attacks against SMBs because SMBs are:
Easier to compromise
Less likely to have IAM
More dependent on email + SaaS
Less protected by SOC teams
For MSPs, this means the phishing landscape is not only expanding — it’s professionalizing.
Why SMBs Are Targeted Most
While enterprises typically combine their identity providers with several layers of IAM controls, SMBs often rely on the default settings built into Google or Microsoft. This creates a single point of failure that attackers recognize immediately. Once a threat actor discovers that an organization depends on basic authentication without additional access policies, device trust, or session protections, the path to compromise becomes much easier. SMBs represent a high-value, low-effort target, which is why identity-based attacks concentrate so heavily on this segment.
According to the 2024 Verizon Data Breach Investigations Report (DBIR), compromised credentials remain one of the leading causes of data breaches. The Sophos State of Ransomware Report shows that more than 80 percent of ransomware attacks affect SMBs. Meanwhile, Barracuda’s Email Threat Report finds that SMBs experience several times more social engineering attempts than larger enterprises.
SMBs make ideal targets because their IAM posture is typically limited to:
A shared Microsoft or Google admin role
A single password for all SaaS services
No conditional access
No device trust
Sporadic or no MFA enforcement
This identity gap is what attackers exploit — and it’s the gap MSPs are asked to secure.
The MSP Identity Challenge Is Clear
MSPs aren’t just responsible for managing IT anymore. They are increasingly responsible for:
Securing authentication across hundreds of SaaS apps
Managing user lifecycle events
Enforcing access policies
Detecting suspicious login behavior
Educating clients on identity threats
Supporting clients who believe “MFA is enough”
All while using platforms originally designed for single-tenant corporate IT, not multi-client MSP environments.
As identity attacks evolve, MSPs must deliver more sophisticated protection — even when SMB clients lack the tools, the budget, or the awareness to secure themselves.
Why Built-In Identity Protection Isn’t Enough for MSPs
Most SMBs rely on the default identity features built into Microsoft 365 and Google Workspace. These tools are helpful starting points, but they were never designed for the multi-tenant reality MSPs operate in or for the sophistication of today’s identity-based attacks. When authentication depends solely on basic passwords, MFA prompts, and uncustomized access settings, it creates gaps that attackers can exploit with very little resistance.
Here are the core limitations that matter for MSP workloads.
No Cross-SaaS Visibility or Control
Most SMBs rely on dozens of SaaS applications. Each one handles authentication a little differently. MSPs often have to jump between the admin portals of each SaaS tool to figure out:
Who has access
Whether MFA is on
Whether accounts are stale
What devices are being used
This fragmented experience slows down every security task. More importantly, it makes it difficult to enforce a consistent level of protection across all clients.
With the basic identity controls built into Microsoft 365 and Google workspace, MSPs cannot see or manage identity risks across their entire client portfolio. Limited Conditional or Contextual
Access Policies
Microsoft 365 and Google Workspace both offer higher-tier conditional access controls. However, many SMB clients do not subscribe to the enterprise-grade license required to enable these features. Even when they are available, they often require specialized configuration that smaller businesses struggle to maintain.
This leaves MSPs with a challenge: They are responsible for security outcomes, but the tools available to them vary widely by client and subscription level.
Without contextual authentication features such as device trust, IP range restrictions, or time-of-day controls, MSPs are left covering gaps they cannot fully manage.
No Multi-Tenant View for Authentication
This is one of the biggest practical problems for MSPs.
Most identity platforms built into Microsoft and Google assume a single organization with a single IT team. MSPs, however, manage multiple environments at once. Without multi-tenant dashboards or policies, they must repeat the same identity tasks for every individual client.
Examples include:
Reviewing MFA status per user
Checking for unusual logins
Resetting credentials during offboarding
Updating access rules
Repeating these steps across dozens of clients consumes hours that could be spent on higher-value services. It also increases the risk of missed configurations or unnoticed identity threats.
Inconsistent Enforcement Across SaaS Applications
Even when basic safeguards such as MFA are enabled, user can still bypass protection by: Logging in from unmanaged devices
Accessing SaaS apps directly outside the SSO portal
Using saved browser sessions that never expire
Since different SaaS apps have different security capabilities, MSPs cannot reliably enforce a single identity policy across the full environment without an external IAM platform.
The end result is a security posture that looks strong on paper but behaves unpredictably in practice. That unpredictability is exactly what attackers exploit.
The Growing Operation Pressure on MSPs
As identity threats become more sophisticated, MSPs are expected to deliver stronger security protection for clients. Yet the tools available to them often make day-to-day operations harder instead of easier.
This section does not make any legal or liability claims. Instead, it highlights the realities MSPs face and the increasing expectations placed on them.
SMBs Expect MSPs to “Make Security Work”
Most SMBs assume that the authentication built into Microsoft or Google is enough. They believe MFA is already protecting them, even when:
MFA is only partially enabled
Users bypass prompts
Conditional access rules are not available
Device trust is not configured
When something goes wrong, the MSP is the one who receives the call. As SMBs adopt more SaaS applications, this expectation grows. The MSP becomes responsible for security outcomes without always having the tools or visibility needed to deliver them fully.
Rising Identity Complexity Without Rising Budgets
SMBs rarely increase budgets at the same pace attackers increase sophistication. This results in:
Old subscription tiers without modern access controls
Mixed environments across Microsoft, Google, and legacy systems
Users with inconsistent authentication habits
Security features locked behind enterprise licenses
MSPs must protect clients using whatever they client already has. That often means patching gaps manually or creating workarounds that do not scale.
More Accounts, More SaaS, More Attack Surface
A typical SMB uses anywhere from 20 to more than 70 SaaS applications. Each one expands the identity footprint. Each one introduces login behavior MSPs need to understand and secure.
Identity work is no longer just creating accounts or resetting passwords. It involves:
Monitoring login behavior
Building access policies
Managing device trust
Detecting unusual authentication events
Enforcing consistent offboarding
Aligning each app with a centralized identity strategy
This workload grows with every new SaaS app a business adopts. For MSPs, this expansion adds operational complexity without additional headcount.
The Identity Burden Is Increasing Faster Than the Tools to Manage It
Built-in authentication was never meant to support multi-tenant MSP operations. The gap between what MSPs need and what the default tools provide is growing every year.
This is the pivotal shift driving MSPs to explore modern IAM. They need a way to:
Standardize access policies across clients
Reduce time spent on repetitive identity tasks
Identify user-behavior threats earlier
Manage users throughout the lifecycle across platforms
Enforce consistent access rules across SaaS applications
Protect clients without forcing expensive subscription upgrades
This need sets the stage for the next section: what “modern IAM for MSPs” actually looks like.
What Modern IAM for MSPs Looks Like
IAM has evolved far beyond passwords and MFA. Modern IAM is a full security layer that determines who can access what, when they can access it, and from which device or location. For MSPs, the challenge is not only protecting users but doing so in a way that is repeatable across every client they support.
A modern IAM strategy for MSPs includes several core elements.
A Single Pane of Glass for Identity Policies
Instead of configuring access controls inside each client’s Microsoft or Google admin console, MSPs increasingly need a centralized place to:
Review authentication events
Identify suspicious access patterns
Apply policy changes across multiple tenants
Standardize security baselines
This reduces the time spent switching between environments and lowers the risk of human error. It also gives MSPs a broader view of identity activity, which is essential for early threat detection.
A single pane of glass is not just a convenience. It’s a structural change that allows MSPs to scale identity operations without constantly adding more labor.
Automated Lifecycle Management
User lifecycle management is one of the most overlooked aspects of security. Most breaches involving former employees or contractors happen because an account remains active longer than it should.
MSPs often spend valuable hours managing:
New user onboarding
Permission updates
Role changes
Deprovisioning when someone leaves
With manual processes, every client introduces risk. Modern IAM platforms automate most of this work by syncing users across directories and applying pre-defined access rules. For MSPs serving several clients at once, automation is not optional. It is the only realistic way to maintain consistency at scale.
Context-Aware Authentication
With the rise of session hijacking, AiTM and credential theft, MFA alone can’t guarantee safe access. Authentication needs to adjust based on context.
Context-aware authentication looks at factors such as:
Network conditions (such as IP range)
Device type
Time of access
Behavior patterns
High-risk situations like new browsers or unusual IP addresses
When something looks off, the system challenges the user with additional verification. When everything aligns with normal behavior, authentication remains seamless.
This balance between friction and security is especially important for SMBs, where users often work across multiple devices or locations. MSPs need controls that adapt intelligently rather than relying on fixed policies.
Unified Identity Policies Across SaaS Applications
Most SMBs operate in hybrid environments that include Microsoft 365, Google Workspace, and a wide range of SaaS tools. Without a unified IAM layer, it becomes almost impossible to enforce consistent access rules across all of them.
Modern IAM ensures:
All logins flow through a centralized identity provider
All devices must meet certain trust requirements
All access can be evaluated against the same policy framework
This creates a predictable, stable security posture while simplifying MSP operations. Instead of configuring each SaaS app individually, MSPs can set rules once and apply them everywhere.
How MSPs Can Turn IAM Into Long-Term Recurring Revenue
IAM has become one of the few security layers that naturally supports long-term recurring revenue for MSPs. As SMBs adopt more cloud applications and rely more heavily on identity as the gateway to their business, MSPs can package IAM in ways that drive immediate value while also strengthening multi-year client retention.
Identity as a Managed Service
MSPs can package IAM as a dedicated offering that includes:
Identity setup and configuration
Ongoing monitoring
User lifecycle management
Incident review and response
Access control policy enforcement
Businesses increasingly want a single monthly service that ensures their users and devices are secure. IAM fits neatly into this demand.
Security Bundles That Start With Identity
Identity is the foundation for all other security layers. MSPs often position IAM as the first step in a broader security program that may include:
Endpoint protection
Email security
Cloud backup
DLP
Threat detection
By anchoring their security stack on IAM, MSPs can create more compelling packages and increase customer retention.
Compliance-Driven Upsells
Many SMBs face growing compliance requirements from clients, regulators, and insurers. IAM plays a direct role in meeting controls related to:
Access management
Authentication strength
Least privilege
User audits
Data access governance
MSPs can offer compliance-ready IAM configurations as a premium add-on.
Clear Value Demonstration Through Reporting
IAM platforms give MSPs visibility into user behavior, risky access attempts, and policy adherence. These insights help MSPs demonstrate value during quarterly business reviews and justify ongoing managed security fees.
In a competitive MSP market, showing measurable improvements in identity security can be a strong differentiator.
Identity as the Foundation for Long-Term Client Retention
Identity sits at the center of every user, device, and application an SMB relies on. Once IAM is fully implemented, it becomes part of the daily workflow: onboarding and offboarding, permission changes, application access, and security monitoring all flow through the identity layer. Because of this, IAM is not a tool a client can easily replace. Switching identity platforms disrupts user productivity, introduces operational risk, and demands significant reconfiguration.
For MSPs, this creates a natural retention effect. IAM becomes a core operational service rather than a point solution, which makes it far more resilient to pricing comparisons or vendor churn. MSPs that manage identity are not only delivering security; they become tightly integrated into how their clients function day-to-day. That level of dependency strengthens long-term contracts and improves overall customer lifetime value.
How HENNGE Identity Fits Into the Modern MSP Stack
By this point, most MSPs agree that relying on default Microsoft 365 or Google Workspace authentication is not enough. The question is what to put in front of those identity providers that strengthens security without adding unmanageable complexity.
HENNGE Identity is designed to sit in that position. It acts as both an Identity Provider (IdP) and IAM platform, giving MSPs a single place to control how users, devices, and applications authenticate.
A Unifying Identity Layer for Mixed Environments
Many SMBs run a mix of Microsoft 365 or Google Workspace, and various SaaS tools. HENNGE Identity adds a unifying identity layer on top of these environments. Instead of managing access on a per-platform basis, MSPs can define policies once and apply them across the client’s ecosystem. This brings structure to environments that have often grown organically and inconsistently over time.
Single Sign-On That Reduces Friction, Not Just Passwords
HENNGE Identity supports single sign-on for hundreds of applications, along with SAML and OIDC. For end users, that means one portal where they can launch the tools they need without juggling multiple passwords. For MSPs, it means fewer access issues, a clearer view of which apps are actually in use, and a practical way to reduce shadow IT by centralizing SaaS access through a managed identity layer. SSO becomes less about convenience alone and more about bringing structure and visibility to modern SMB environments.
Context-Aware MFA Instead of Constant Prompts
MFA is most effective when it is applied thoughtfully. HENNGE Identity allows MSPs to set policies so additional verification is requested when risk is higher, not every single time a user signs in. That might include requiring extra checks from unfamiliar networks, untrusted devices, or sensitive applications. The result is a better balance between security and usability, which is particularly important for SMBs that do not have a lot of patience for clunky login flows.
Bringing Devices Into the Identity Conversation
Accounts are only part of the story. Devices matter too. HENNGE Identity can use device certificates to help ensure that only approved mobile devices and workstations can reach certain apps. This gives MSPs another control point: they are not just deciding who can log in, but also which devices are allowed to participate. For clients with remote or hybrid teams, this is a practical way to tighten access without rolling out a full endpoint management overhaul on day one.
A Safer Path for BYOD and Remote Access
Many SMBs rely on personal devices or ad hoc remote access arrangements to keep work moving. HENNGE Identity’s secure browser capabilities give MSPs a way to allow access to web apps while still putting guardrails around actions like downloading files, copying data, or capturing screens. For internal web applications that previously depended on VPNs, HENNGE Identity can offer a more streamlined, identity-driven way to reach them, which simplifies support and reduces friction for users.
Lifecycle Management That Scales Beyond One Tenant
User lifecycle work is one of the most time-consuming responsibilities for MSPs. New hires, role changes, and departures all create small but critical changes in access. HENNGE Identity is capable of connecting identity to user directories so that many of these changes can be automated and applied consistently. Instead of managing this separately inside each client environment, MSPs can rely on a predictable process that scales across tenants.
Built With Multi-Tenant Reality in Mind
Managing identity across several clients can be repetitive and inefficient. While HENNGE Identity secures each individual tenant, HENNGE Inc. also provides multi-tenant workflow support through a dedicated tool that lets MSPs deploy and maintain standardized configurations at scale. Using secure, API-driven templates, MSPs can apply consistent access policies—such as password rules, authentication methods, lockout settings, context-aware controls, IP ranges, and device or Secure Browser requirements—without switching between dashboards or logging into each tenant separately. This gives MSPs a structured and efficient way to manage identity across their entire portfolio.
For MSPs looking to move beyond “MFA plus passwords” and offer identity as a managed service, HENNGE Identity provides the kind of layered, centrally managed control plane that modern SMB environments now require.
Identity is now the front line of SMB security, and MSPs who take ownership of it will be better equipped to protect clients and grow their services. We’ll be publishing more deep dives on topics like AiTM attacks, IAM maturity, and the evolving role of MSPs in identity security. To stay updated, subscribe to our newsletter. If you’d like to explore how HENNGE Identity can support your MSP practice, feel free to contact us anytime.