Four Reasons to Increase Recoverability of Entra ID Resources

Published on
security entra id

Active Directory (AD) was built for efficient user authentication and access management. However, many legacy on-premises AD environments have risky misconfigurations that have accumulated over time. As a result, it’s now well known that cyber attackers consider AD their favourite target. By exploiting AD security gaps, attackers can gain network control, potentially bringing business operations to a halt.

What’s less understood is the inherent complications of protecting a hybrid AD environment that includes both on-prem AD and Entra ID (formerly Azure AD), which is the case for most businesses. In a hybrid identity environment, the attack surface expands and many organisations lack the tools and expertise to effectively guard against malicious behaviour.

This article will look at the often-overlooked security implications of managing identity resources across AD and Entra ID—and how to close those gaps.

Article contributed by Tuna Gezer, Semperis

1. Entra ID misconfigurations cause security problems

As with on-prem AD, Entra ID can be riddled with countless misconfigurations that have accumulated over time and expose organisations to attacks. Configurations that diverge from organisational policies can cause unintended consequences, affecting security and user interaction and even potentially causing a denial of service.

In the 2023 Purple Knight Report, which surveyed users of Semperis’ community-driven security assessment tool, 55% of organisations reported finding five or more security vulnerabilities in their Entra ID environments. Those indicators included privileged groups that contain a guest account, users or devices that have been inactive for more than 90 days, and multiple indicators related to misconfigured conditional access policies.

2. The Entra ID recycle bin won’t save you

Although the Entra ID recycle bin can protect against some unfortunate mistakes, its power is limited. Users, Microsoft 365 groups, and applications that were soft-deleted can be recovered from the recycle bin within 30 days. But many other object types are immediately hard-deleted and can’t be restored.

In one case that we’re familiar with, 1,600-plus Entra ID service principals were accidentally deleted, causing line-of-business applications to go offline. The organisation was forced to manually recreate these apps in Entra ID, and administrators worked non-stop for 28 days to restore all services. Another downside of the Entra ID recycle bin is that it helps only in cases of deletions—it’s useless if objects are modified.

3. Failure to understand the IdP shared responsibility model leaves security gaps

As the identity provider (IdP) for Entra ID, Microsoft provides various capabilities that help you prepare for a security incident, such as identity and access management (IAM) functionality, tools for documentation, log availability and consistency, and platform security. If you need to recover from malicious or unintentional changes or deletions, Microsoft also provides time-limited availability of soft-deleted resources (the recycle bin) and availability of APIs.

But to prepare for an incident, as the customer you are responsible for disaster planning, documenting known good states, monitoring and data retention, and operational security. In the case of an attack, you need the ability to restore soft-deleted and hard-deleted resources, prior configurations, and misconfigured resources. Without a tested plan, an attack on Entra ID could leave you scrambling to rebuild these resources—a process that typically takes days or weeks for most organisations.

4. Attackers are targeting Entra ID

The increase in attacks targeting Entra ID should raise alarm bells for any organisation with a hybrid identity environment—which is most often the case. (According to the Semperis report Evaluating Identity Threat Detection & Response Solutions, 80% of organisations use a hybrid identity system that encompasses both on-prem AD and Entra ID.) As with the infamous Kaseya and SolarWinds breaches, cybercriminals are exploiting security weaknesses in hybrid identity systems by gaining entry in the cloud and moving to the on-premises identity system—or vice versa.

A favourite target for cyber attackers is the cloud service that organisations tend to adopt first and fastest—Microsoft 365. Mandiant researchers reported an increase in incidents involving Microsoft 365 and Entra ID, mostly tied to phishing activities that lured users into sharing their Office 365 credentials. Mandiant researchers also saw attackers using AADInternals, a PowerShell module that lets them navigate from the on-prem AD environment to Entra ID, where they can create backdoors, steal passwords, and establish persistence.

Closing cloud identity system security gaps

Building on our strong foundation of providing comprehensive security and recovery solutions for AD, Semperis Disaster Recovery for Entra Tenant (DRET) addresses the glaring security risks we’ve seen in many hybrid AD environments. DRET picks up where the Entra ID recycle bin leaves off by providing recoverability for business-critical Entra ID resources and ensuring secure storage and flexible management for Entra ID data.  

Given the increased prevalence of attacks on hybrid identity systems, ensuring the recoverability of Entra ID resources is now a top priority for many organisations. Disaster Recovery for Entra Tenant helps to accomplish this mission by providing secure, reliable backup and recovery for critical Entra ID data, eliminating time-consuming storage management hassles and ensuring fast post-attack recovery.

Join 34,209 IT professionals who already have a head start

Network with the biggest names in IT and gain instant access to all of our exclusive content for free.

Get Started Now