By now it’s well known that cyberattackers consider Active Directory their favorite target. AD—the primary identity store for 90% of businesses worldwide—was built for efficient user authentication and access management, but many legacy on-premises AD environments have risky misconfigurations that have accumulated over time. By exploiting AD security gaps, attackers can gain network control, potentially bringing business operations to a halt.
What’s less understood is the inherent complications of protecting a hybrid AD environment that includes both on-prem AD and Entra ID (formerly Azure AD), which is the case for most businesses. In a hybrid identity environment, the attack surface expands and many organizations lack the tools and expertise to effectively guard against malicious behavior.
Let’s dive into the often-overlooked security implications of managing identity resources across AD and Entra ID—and how to close those gaps with Semperis Disaster Recovery for Entra Tenant (DRET), which we’ve renamed and refreshed with expanded capabilities.
1. Entra ID misconfigurations cause security problems
As with on-prem AD, Entra ID can be riddled with countless misconfigurations that have accumulated over time and expose organizations to attacks. Configurations that diverge from organizational policies can cause unintended consequences, affecting security and user interaction and even potentially causing a denial of service. In the 2023 Purple Knight Report, which surveyed users of Semperis’ community-driven security assessment tool, 55% of organizations reported finding 5 or more security vulnerabilities in their Entra ID environments. Those indicators included privileged groups that contain a guest account, users or devices that have been inactive for more than 90 days, and multiple indicators related to misconfigured conditional access policies.
2. The Entra ID recycle bin won’t save you
Although the Entra ID recycle bin can protect against some unfortunate mistakes, its power is limited. Users, Microsoft 365 groups, and applications that were soft-deleted can be recovered from the recycle bin within 30 days. But many other object types are immediately hard-deleted and can’t be restored. In one case that we’re familiar with, 1,600-plus Entra ID service principals were accidentally deleted, causing line-of-business applications to go offline. The organization was forced to manually recreate these apps in Entra ID, and administrators worked non-stop for 28 days to restore all services. Another downside of the Entra ID recycle bin is that it helps only in cases of deletions—it’s useless if objects are modified.
3. Failure to understand the IdP shared responsibility model leaves security gaps
As the identity provider (IdP) for Entra ID, Microsoft provides various capabilities that help you prepare for a security incident, such as identity and access management (IAM) functionality, tools for documentation, log availability and consistency, and platform security. If you need to recover from malicious or unintentional changes or deletions, Microsoft also provides time-limited availability of soft-deleted resources (the recycle bin) and availability of APIs. But to prepare for an incident, as the customer you are responsible for disaster planning, documenting known good states, monitoring and data retention, and operational security. In the case of an attack, you need the ability to restore soft-deleted and hard-deleted resources, prior configurations, and misconfigured resources. Without a tested plan, an attack on Entra ID could leave you scrambling to rebuild these resources—a process that typically takes days or weeks for most organizations.
4. Attackers are targeting Entra ID
The increase in attacks targeting Entra ID should raise alarm bells for any organization with a hybrid identity environment—which is most often the case. (According to the Semperis report Evaluating Identity Threat Detection & Response Solutions, 80% of organizations use a hybrid identity system that encompasses both on-prem AD and Entra ID.) As with the infamous Kaseya and SolarWinds breaches, cybercriminals are exploiting security weaknesses in hybrid identity systems by gaining entry in the cloud and moving to the on-premises identity system—or vice versa. A favorite target for cyberattackers is the cloud service that organizations tend to adopt first and fastest—Microsoft 365. Mandiant researchers reported an increase in incidents involving Microsoft 365 and Entra ID, mostly tied to phishing activities that lured users into sharing their Office 365 credentials. Mandiant researchers also saw attackers using AADInternals, a PowerShell module that lets them navigate from the on-prem AD environment to Entra ID, where they can create backdoors, steal passwords, and establish persistence.
Closing cloud identity system security gaps
Building on our strong foundation of providing comprehensive security and recovery solutions for AD, Semperis Disaster Recovery for Entra Tenant (DRET) addresses the glaring security risks we’ve seen in many hybrid AD environments. DRET picks up where the Entra ID recycle bin leaves off by providing recoverability for business-critical Entra ID resources and ensuring secure storage and flexible management for your Entra ID data.
Here’s a quick snapshot of how DRET can help you prepare for and recover from malicious or unwanted changes to your Entra ID tenant:
- Recovers hard-deleted user objects
- Recovers security groups
- Recovers conditional access policies
- Supports selective restore of individual objects
- Supports bulk restore of multiple objects
- Retains multiple backup versions
- Provides secure storage (SOC 2 Type II compliant and ISO 27001 certified) for Entra ID data with an option for Bring Your Own Key (BYOK) encryption
- Provides a choice of Microsoft Azure data centers in the US, EU, or Australia
Given the increased prevalence of attacks on hybrid identity systems, ensuring the recoverability of Entra ID resources is now a top priority for many organizations. Disaster Recovery for Entra Tenant helps you accomplish this mission by providing secure, reliable backup and recovery for your critical Entra ID data, eliminating time-consuming storage management hassles and ensuring fast post-attack recovery.
More resources