When we think about protecting Microsoft Entra tenants, the conversation often revolves around user identities, conditional access, and multi-factor authentication. Those are all critical – but one piece is often overlooked: verified domains.
These domains are the foundation of your organisation’s identity. They determine how email flows, which services are trusted, and ultimately, how people inside and outside your business know they’re dealing with you.
Yet many organisations don’t actively monitor their domains, leaving them exposed to subtle but high-impact risks. Here are three reasons why domain monitoring should be part of your security strategy.
1. Domains define your identity footprint
Every verified domain in your Entra tenant is a doorway into your organisation. When a new domain is added, it expands your attack surface. When one is removed, it might be a legitimate housekeeping activity – or a sign of something more concerning.
Attackers often look for ways to insert shadow domains or tamper with existing ones as part of account takeovers. Without monitoring, these changes can fly under the radar.
Once you’ve add your Entra tenant to Cybaa’s monitoring, we’ll alert you via email any time a domain is added or removed from the monitored tenant.
2. Microsoft has tightened access – and for good reason
Until recently, Microsoft allowed anyone to query tenant domains through public endpoints. We along with other open source intelligence tools like AADInternals, took advantage of this. It was a long-standing weakness: attackers could map your organisation’s domains without ever touching your environment.
That loophole has been closed, officially, Merill Fernando at PM at Microsoft publicises all the release from the Microsoft 365 Message Centre and the most recent update from July 2025 says that by late August it will have been closed off. We’re still seeing mixed results from our tooling that uses the public endpoints, some tenants return a list of results and some just return the queried domain (if it exists in M365), so take this with a pinch of salt, Microsoft have moved the goal posts a few times already!
All that being said, whilst it’s caused us some temporary increased work, because a proactive monitoring requires authorised, secure integration, it is without doubt a positive step for security.
At Cybaa, we do our best to embody secure by design and by default and so, in order to keep your exposure to us to an absolutely minimum, we only need the “Domain.Read.All” permission granted within Microsoft Graph.
3. DNS records are “quiet until they’re not”
DNS records like MX, SPF, and DMARC underpin secure communication and email delivery. They’re usually set once and don’t change often. The slow rate of change is exactly why an attacker (or even an accidental misconfiguration) can cause significant damage if they change unexpectedly:
- An altered MX record can silently redirect all inbound mail.
- A weakened SPF record can open the door to spoofed messages.
- A missing or relaxed DMARC policy can make large-scale phishing easier.
Changes to these records are rare – which makes them excellent indicators of risk.
We monitor each of those records and alert you if there are any changes to them, best case scenario, you made the change yourself, if not, hopefully someone made it legitimately and forgot to change it and worst case, it was changed by a malicious actor!
Bringing it together
Your domains and DNS records might not change often, but when they do, it’s usually a sign worth investigating. By keeping a close watch, you can:
- Detect insider threats or configuration mistakes early
- Reduce the risk of email redirection or spoofing attacks
- Maintain confidence in the integrity of your identity infrastructure
Cybaa was built to make this easy. By combining tenant-level visibility with DNS monitoring, we help organisations stay one step ahead of both mistakes and malicious activity.
👉 Learn more about how Cybaa can protect your tenant domains at cybaa.io.
Joe Tiedeman 
Leave a comment