Active Directory & Azure AD/Entra ID Security

Active Directory & Azure AD/Entra ID: Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Category: Security

Oct 19 2025

Improve Entra ID Security More Quickly

By Sean Metcalf in Entra ID Security, Microsoft Security, Technical Reference

At BSides Northern Virginia (BSides NoVa) in October 2025, I presented a talk on how to improve Entra ID security quickly. This post captures the key information from my talk slides. This article describes the Entra ID settings and configuration that should be set to improve security including:

Oct 12 2025

BSides NoVa 2025 Presentation Slides Posted

By Sean Metcalf in Entra ID Security, Microsoft Security, Security Conference Presentation/Video

My BSides NoVA talk on Saturday, October 11, 2025 was titled “10 Ways to Improve Entra ID Security Quickly“. I focused on the areas that tend to be missed in Entra ID.Talk slides are now posted. Downoad Presentation Slides

BSidesNoVa, EntraID, EntraIDSecurity, ImproveEntraIDSecurity

Oct 11 2025

Microsoft Interview

By Sean Metcalf in Entra ID Security, Interview, Microsoft Security

A couple years ago, the Microsoft Security Experts Blog interviewed me regarding Azure Active Directory (Entra ID) security. Read the Interview here

AzureActiveDirectorySecurity, AzureADSecuity, EntraIDSecurity, MicrosoftSecurity, MicrosoftSecurityExpertsBlog

May 29 2020

Attacking Active Directory Group Managed Service Accounts (GMSAs)

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security

In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called “Securing Active Directory: Resolving Common Issues” and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I …

clear-text password, Computer Account, ConvertTo-NTHash, DSInternals, Get-ADReplAccount, Get-ADServiceAccount, GMSA, GMSA password, GMSA password hash, GMSA SPN, Group Managed Service Accounts, Kerberos, Kerberos SPN, LSASS, mimikatz, msDS-GroupManagedServiceAccount, msDS-GroupMSAMembership, msds-ManagedPassword, msDS-ManagedPasswordId, msDS-ManagedPasswordInterval, msDS-ManagePasswordInterval, PrincipalsAllowedToRetriveManagedPassword, PSEXEC, Sekurlsa::ekeys, sekurlsa::logonpasswords, service principal name, ServicePrincipalNames, SPN, SYSTEM, _SA_

May 27 2020

From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path

By Sean Metcalf in Cloud Security, Microsoft Security, TheCloud

For most of 2019, I was digging into Office 365 and Azure AD and looking at features as part of the development of the new Trimarc Microsoft Cloud Security Assessment which focuses on improving customer Microsoft Office 365 and Azure AD security posture. As I went through each of them, I found one that was …

Access management for Azure resources, ActiveDirectory, Azure AD PIM, Azure Owner, Azure RBAC, Azure root, AzureAD, Company Administrator, Compromise Azure Domain Controller, Compromise Azure VM, Elevate Access, EnableAdminAccount, From Azure AD to Azure, Global Admin to Azure, Global Administrator, Global Administrator Elevate Access, MFA, Microsoft.Compute/virtualMachines/runCommand/, net localgroup, Office 365 Security, PIM, Privileged Identity Manager, Run PowerShell on Azure VM, runCommand, RunPowerShellScript, User Access Administrator, Virtual Machine Contributor

Oct 11 2018

From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

It’s been almost 1.5 years since the Medium post by Shay Ber was published that explained how to execute a DLL as SYSTEM on a Domain Controller provided the account is a member of DNSAdmins. I finally got around to posting here since many I speak with aren’t aware of this issue. Shay describes this …

Active Directory, DNS server object permission, DNSAdmins, DnsPluginCleanup, DnsPluginInitialize, DnsPluginQuery, Domain Controller, from DNSAdmin to Domain Admin, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll, mimikatz dll, run DLL on Domain Controller, ServerLevelPluginDll, UUID is 50ABC2A4–574D-40B3–9D66-EE4FD5FBA076, \PIPE\DNSSERVER

Oct 10 2018

Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

By Sean Metcalf in ActiveDirectorySecurity, Exploit, Hacking, Microsoft Security, Security Conference Presentation/Video

At DerbyCon 8 (2018) over the weekend Will Schroeder (@Harmj0y), Lee Christensen (@Tifkin_), & Matt Nelson (@enigma0x3), spoke about the unintended risks of trusting AD. They cover a number of interesting persistence and privilege escalation methods, though one in particular caught my eye. Overview Lee figured out and presents a scenario where there’s an account …

AD credential theft, constrained delegation, DCSync, delegation, DoD STIG, Domain Controller Spooler, Kerberos, Kerberos attack, Kerberos Delegation, Kerberos unconstrained delegation, MS-RPRN, Print Spooler, RpcRemoteFindFirstPrinterChangeNotification, Spooler, Spooler Service

Jan 01 2018

Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security

I have been fascinated with Read-Only Domain Controllers (RODCs) since RODC was released as a new DC promotion option with Windows Server 2008. Microsoft customers wanted a DC that wasn’t really a DC. – something that could be deployed in a location that’s not physically secure and still be able to authenticate users. This post …

Allowed RODC Password Replication Policy, DCSync, Denied RODC Password Replication Policy, Directory Services Restore Mode password, discovering RODCs, Domain Controller, DSRM, golden ticket, Hacking RODCs, harden Read-Only Domain Controllers, harden RODCs, Invoke-Mimikatz, KRBTGT, KRBTGT_######, mimikatz, msDS-AuthenticatedToAccountList, msDS-KeyVersionNumber, msDS-NeverRevealGroup, msDS-Reveal-OnDemandGroup, msDS-RevealedList, Read-Only Domain Controller, ReadOnly Domain Controller, RODC, RODC Active Directory, RODC Administration, RODC administrators, RODC backlink, RODC golden ticket, RODC in the DMZ, RODC Krbtgt, RODC ManagedBy attribute, RODC Manager, RODC password, RODC Password Replication Policy, RODC replication, RODC security, RODC SYSVOL, Silver Tickets

Nov 24 2017

Securing Microsoft Active Directory Federation Server (ADFS)

By Sean Metcalf in Cloud Security, Microsoft Security, Security Recommendation, Technical Reading, Technical Reference

Many organizations are moving to the cloud and this often requires some level of federation. Federation, put simply, extends authentication from one system (or organization) to another. Gerald Steere (@Darkpawh) and I spoke about cloud security at DEF CON in July 2017. Presentation slides and video are here: “Hacking the Cloud” One of the key …

ADFS certificates, ADFS Recommendations, ADFS Security, ADFS Security Best Practices, GoldenSAML, GoldenSAML Detection, GoldenSAML protection, Microsoft Active Directory Federation Servers, Protecting ADFS, Securing ADFS

Aug 10 2017

Beyond Domain Admins – Domain Controller & AD Administration

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

Active Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored: “Securing Domain Controllers to Improve Active Directory Security” which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post “Scanning for Active …

Active Directory Admins, Active Directory groups, Active Directory Security, ActiveDirectory, AD Administrators, AD Admins, AD Security, allow log on locally, Back-up files & directories, Backup Operators, Builtin, DC rights, DCSync, Default AD groups, Default Domain Controller Policy, domain Administrators group, Domain Admins, Domain Controller, Domain Controller groups, Domain Controller rights, Enable computer and user accounts to be trusted for delegation, Force shutdown from a remote system, Get-ADGroupMember, Log on as a batch job, Log on as a service, Manage auditing and security log, Print Operators, Remote Desktop users, Restore files & directories, Schema Admins, Server Operators, Synchronize directory service data

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Made with by Graphene Themes.

Category: Security

Improve Entra ID Security More Quickly

BSides NoVa 2025 Presentation Slides Posted

Microsoft Interview

From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path

From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration

Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory

Securing Microsoft Active Directory Federation Server (ADFS)

Beyond Domain Admins – Domain Controller & AD Administration

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Category: Security

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright