10 Proven Steps to Defend Against Identity Threats

Active Directory and Entra ID Are Prime Targets for Attacks

If unknown or not addressed, vulnerabilities in AD and in Entra ID open the door to cyber attackers wishing to steal from you or do you harm. It is your responsibility to stop them.

Common threats and exploits against Active Directory and Entra ID

It’s important for proactive detection of vulnerabilities to understand common attack vectors that can lead to infiltration and exploits. Some are distinct to AD or Entra ID, others are shared risks, as indicated below.

• Credential theft and authentication exploits

A wide range of vulnerabilities like insuBicient or unenforced password policies, replication protocols, and social engineering can leave you open to credential theft attacks like those listed below. Entra ID breaches lead to account takeover, and all manner of data exfiltration and privilege escalation can result.

• Phishing (AD and Entra ID): If the attacker intercepts tokens, MFA can be bypassed with stolen credentials entered on fake login pages.

• Password Spraying: (AD and Entra ID): Targeting weak passwords and password policies, attackers “spray” common passwords across many accounts to avoid lockouts and detection by monitors.

• Credential Stuffing (AD and Entra ID): Attackers already possessing valid username/password combinations from previous credential theft attacks can use them to attack at scale, executing millions of login requests quickly.

• Kerberoasting (AD) (Entra ID via hybrid trust): A compromised valid user account requests Kerberos service tickets for accounts with Service Principal Names (SPNs). The tickets are cracked oBline (so undetected), and the plaintext password is used to spread the attack.

• DCSync (AD) (Entra ID via hybrid synchronizations): Attackers use replication protocols to request password hashes and then mimic domain controllers.

• Golden Ticket (AD): Attackers gain persistent access by compromising the KRBTGT account hash and generating unlimited tickets.

• Token replay (AD and Entra ID): Attackers intercept tokens using Adversary-in-the-Middle (AiTM) tools, for example, then have access even with MFA in place.

• Pass-the-Hash (AD and Entra ID) Password hashes are stolen and allow authentication without cleartext passwords.

• Legacy protocol abuse (AD and Entra ID): Protocols like NTLM, SMTP, POP3, and others lacking MFA support crack open the door to brute-force AD attacks.

• Privilege escalation (AD and Entra ID)

Attacks that exploit misconfigured or overly permissive roles to escalate privileges, they can result in attackers gaining escalated access. Credential theft, group manipulation, and GPO exploits in AD, and role abuse, OAuth scope manipulation, and application/service principal abuse in Entra ID are common techniques.

Proactive detection through monitoring, and strict access controls, and rigorous (and enforced) approval workflows, are needed to prevent these attacks.

• Lateral Movement (AD and Entra ID)

Post-breach tactics that allow attackers to pivot across systems using compromised low-privileged accounts and reach high-value assets like domain controllers in AD make attacks worse for the victim. Entra ID attack techniques are somewhat different.

Pass-the-Ticket (AD): Stolen Kerberos tickets grant unauthorized access to remote systems.

Mimikatz (AD): Lateral movement is gained through credentials, hashes, and Kerberos tickets extracted from memory.

Kerberos delegation attacks (AD): Misconfigured delegation is used to impersonate users across services.

Cross-tenant synchronization abuse (Entra ID): The B2B collaboration feature is used to move laterally between partner tenants, and malicious accounts can be provisioned for persistent access or access escalation.

Intune permission exploitation (Entra ID): Service principals with permissions to alter device management attributes may be compromised to enable lateral movement.

Service Principal Compromise (Entra ID): Lateral movement attacks through hijacked service principals with excessive permissions.

Use a Three-pronged Approach to Reduce the Attack Surface

1) Awareness of vulnerabilities

2) Awareness of in-process identity threats and exploits

3) Take action to address vulnerabilities and the spread of ongoing attacks

Indicators of Exposure (IOEs): Before attacks occur, vulnerabilities lurk. To be proactive, security operations teams must find those vulnerabilities and then determine the best way to fix each of them.

Indicators of Compromise (IOCs): Some liken an IOC to a piece of forensic evidence – it is data that identifies potentially malicious activity. A security breach has perhaps already happened, or an attack is underway.

Actions to take for mitigation and remediation.

Map vulnerabilities and in-process exploits against a standard security framework like MITRE ATT&CK (https://attack.mitre.org/) for recommended actionable mitigation tasks to harden against actual attack techniques that threat actors have used in past attacks.

10 Steps to Attack Surface Hardening

How to stop attacks in your environment? There are some time-tested best practices for doing just that. IOEs and IOCs are prominently mentioned, as are MITRE ATT&CK mitigations.

1. Implement Least Privilege Models

• Assign users the minimum permissions necessary for their roles. Avoid granting excessive privileges, especially for day-to-day tasks. Use just-in-time or privileged access management (PAM) or PIM (in Entra ID) solutions to grant admin rights only when needed and revoke them automatically after the task is complete. And instead of granting broad admin rights to allow specific tasks to be done, delegate only the necessary permissions for those tasks using custom groups.

• Delegate specific tasks at the Organizational Unit or object level in AD. And in Entra ID at the directory, application, or resource level.

• For sensitive resources, use RBAC to systematically restrict access. Regularly review and adjust group memberships and role assignments to ensure only authorized personnel retain elevated privileges.

Follow MITRE ATT&CK mitigation guidance: T1003, T1134, M1026, M1015, M1018, T1558

2. Setup and Enforce Authentication and Access Controls

• Enable Kerberos pre-authentication for all accounts to defend against AS-REP Roasting attacks. And enforce strong, unique passwords (ideally passphrases of at least 30 characters). If possible, with features and tools available, block known breached passwords. Monitor for accounts configured without Kerberos pre-authentication or with weak passwords and raise alerts for immediate awareness and remediation.

• Require MFA for all users, neutralizing threats from stolen passwords being used for Active Directory and Entra ID infiltration. MFA also reduces the risk of lateral movement by attackers. In Entra ID, enable security defaults to automatically enforce MFA and to block legacy authentication.

• Require robust authentication for every connection. Removing implicit trust will make it much harder for attackers to succeed. And it strengthens defense against insider threats by either enforcing additional authentication, limiting permissions, or denying access completely. And limit guest user permissions.

• Disable or delete inactive, orphaned, or unnecessary user and service accounts. Continuous or regular monitoring will detect these, and you’ll be better equipped to thwart threats from insiders and former employees and eliminates an easy entry point for malicious actors.

MITRE ATT&CK mitigation guidance: T1556.001, T1621, T1040, M1015, M0915, M1036, M1018

3. Adopt Tiered Administration and Network Segmentation

• Separate administrative activities by implementing a tiered model (e.g., Tier 0 for domain controllers, Tier 1 for server admins, Tier 2 for end users). Admin accounts are then limited to a tier and cannot access higher tiers. Protection of critical resources like domain controllers from a malicious actor pivoting from a compromised workstation, etc., is the goal here. Attackers cannot steal credentials for Tier 0 assets from lower tiers, which disrupts attack techniques like Kerberoasting and pass-the-hash.

• Restrict administrative access to dedicated, hardened workstations that are isolated from internet access and general user environments.

• Domain controllers, Entra ID privileged roles, and any other core identity infrastructure components should be isolated from all other workstations and servers, minimizing risks of broader attacks.

• Use penetration tests, and alert on cross-zone authentication attempts, (e.g., Tier 1 to Tier 0), to validate segmentation and make corrections where necessary.

MITRE ATT&CK mitigation guidance: T1482, T1136, T1098, M1026, M1030, M1047, T1536.002, M1015

4. Harden and Monitor Service Accounts

• Service accounts are high-value targets for attacks in AD and Entra ID because of their elevated privileges and broad access. They deserve special attention in your attempts to reduce the attack surface and repel attackers.

• Wherever possible, use Group Managed Service Accounts (gMSAs) in AD, or Managed Identities in Entra ID, for automated password management and rotation, reducing the risk of password-based attacks on service accounts.

• In Entra ID, limit the privileges of accounts with Service Principal Names (SPNs) and avoid assigning them to high-privilege groups. Use them for non-Azure hosted services or multi-tenant applications. And use Conditional Access Policies to restrict access based on device compliance, location, or risk.

• Use the “Log On To” property to restrict which computers a service account can access. Limit access to only necessary hosts. And don’t copy old service accounts. Instead, create service accounts from scratch to avoid excessive permissions. Regular audits of service account permissions and usage can detect unnecessary access. Facilitate monitoring and enforcement of restrictions consistently by placing service accounts in dedicated OUs and applying Group Policies

MITRE ATT&CK mitigation guidance: M1015, M1026, T1078, M1018, M1032

5. Apply Secure Configuration

• Deploy domain controllers using the Server Core installation option, minimizing installed components on the server, so reducing possible vulnerabilities. And to reduce services and features, disable legacy protocols (NTLM, SMBv1) and unused services (IIS, Print Spooler) on domain controllers.

• Keep an eye on things - enable advanced auditing for AD object changes (e.g., ‘Audit Directory Service Changes’). Critical events are:

  • Event 4738: User account changed.

  • Event 4742: Computer account modified.

• Review and amend default security settings in AD and Entra ID to constantly improve the organization’s security posture by focusing on reducing the number of potential entry points for attackers. This should include:

  • Inventory all AD components, including DCs, privileged accounts, service accounts, and network connections.

  • Map dependencies and interactions between AD and other critical systems. Then, prioritize security controls and monitoring for those dependencies. And study the dependencies identified for unnecessary dependencies that could be exploited – directly reducing attack vectors in your environment.

  • Apply the Tier Model accordingly in AD to minimize risks of widespread impact from a single compromise in a AD.

MITRE ATT&CK mitigation guidance: T1543, M1026, M1028, M1047, T1562.010, M1041, T

6. Enforce Patch Management

• Patch management is often considered the most effective activity for reducing the attack surface in AD and Entra ID.

• Regularly update and patch all AD systems, including domain controllers and administrative hosts, to address known vulnerabilities, reducing ways in for attackers. And fully patch Entra ID hybrid components, like Entra Connect, and admin workstations.

• Patching also proactively updates your defenses as known threats evolve, and new threats appear.

MITRE ATT&CK mitigation guidance: M1051

7. Implement Continuous Monitoring

• Monitoring is widely considered essential to improving the AD and Entra ID security posture, allowing you detect suspicious activity and threats quickly.

• Monitor all changes to users, roles, groups, and policies. This includes tracking who made a change, when, and what was changed. Monitor directory changes, privileged account activities, and authentication attempts to detect suspicious behavior quickly.

• Set up real-time alerts for critical changes (like role assignments or risky sign-ins) for quick response.

• Delegation of permissions can open doors to attackers, so monitor delegations for excessive permissions. For example, Resource Based Constrained Delegation (RBCD) introduces critical security risks that can allow attackers to gain unauthorized access for lateral movement by delegating impersonation rights to malicious accounts.

MITRE ATT&CK mitigation guidance: T1558, T1003.006, T1098, M1015, DS0026, M1056, M1057, M1017

8. Use Auditing

• Auditing will help you detect and investigate potential threats early.

• Audit successful account management, successful directory service access, and successful and failed logon events. Mitigate threats by auditing for relevant events such as configuration changes, group memberships, delegations and privilege assignments. Maintain the resulting logs to help guide incident response and for compliance reporting.

• For example, delegations configured as “unconstrained” or non-admin accounts with Machine Account Creation privileges should be deemed suspicious until proven otherwise. So, ensure your auditing is filtered to capture these.

• Ensure that the forensic trail of these and related actions and their results are stored securely to help with detection, investigation, and responses.

MITRE ATT&CK mitigation guidance: T1003.006, T1558.003, T1134, T1558.001, T1036, T1556, T1556, T1070, M1047

9. Encrypt and Backup Critical Data

• Security is constructed in layers. Encryption and data backups add critical layers to your overall security posture. Do not leave these out of your overall security plans.

• Regular data backups ensure business resilience if data are compromised by malicious actors. And your last line of defense around sensitive and business critical data is encryption, making the data unreadable if an attacker gains access to your environment. This includes critical security data like credentials, group policy objects, and configuration files.

Encryption

• Data at rest or in transit calls for protection against unauthorized access by going beyond AD default settings to require strong encryption (e.g., AES-256) for authentication and data storage. Combined with continuous monitoring and regular audits, allowing early detection of suspicious activity and misconfigurations, the defenses of encryption are bolstered even more.

  • Entra ID note: Use Microsoft’s server-side encryption tools for data at rest, and ensure data in transit between apps, devices, and cloud services is protected by the likes of VPN or Transport Layer Security (TLS).

• Securely manage encryption keys and restrict access to key management systems.

  • Entra ID note: Secure encryption keys using solutions like Entra ID Key Vault and restrict access using IAM controls.

• Use AES encryption for Kerberos tickets instead of vulnerable algorithms like RC4 to mitigate Kerberoasting (MITRE ATT&CK Mitigation T1558.003) and AS-REP Roasting (T1558.004). Secure private keys with hardware modules (TPM/HSM) to prevent credential theft.

MITRE ATT&CK Mitigation for encryption: T1556.005, T1558, M1015, M1041, M104, T1557, T1558, T1003, T1040

Backups

• Encrypt backup files. Store them in encrypted locations, both onsite and offsite, to prevent attackers gaining access to sensitive AD data.

• Backup domain controllers at least twice per domain for redundancy and resilience. During a ransomware attack, it will be possible to restore data without paying a ransom, if reliable backups are available.

• Immutable Backups. Use write-once-read-many (WORM) storage to prevent ransomware from altering or deleting backups.

• Offsite and Isolated Storage. Store backups in cloud services (e.g., AWS S3, Azure Backup) or physical offsite locations to ensure availability during onsite breaches.

• Regular Testing: Validate backup integrity by periodically restoring them to confirm recoverability. Secure Backup Systems. Harden backup servers and networks to prevent compromise during incidents like Data Manipulation (Technique T1556, MITRE ATT&CK).

MITRE ATT&CK mitigation for backups: M1053, T1486, T1490

10. Harden Hybrid Environments

• Apply RBAC, least-privilege models, and Zero Trust principles across all environments, and mandate MFA for all users and service accounts. A weakness in one system helps attackers compromise the other.

• If possible, automate access reviews and revoke unnecessary permissions and detect security gaps in policies.

• Beyond steps taken directly in AD or Entra ID, there are several key network and endpoint considerations that apply to hybrid environments, too.

MITRE ATT&CK mitigation for backups: T1556.007, T1110, T1558.003, T1210, T1574.002

Conclusion

By systematically taking the actions in this post, organizations can significantly reduce the attack surface of both Active Directory and Entra ID, improving their overall security posture and resilience against identity-based threats.

Reducing the AD and Entra ID attack surface will not guarantee that all attacks will stop. But doing your due diligence to put in place safeguards under your control will be your best defense against cyberattacks.