{"id":4825,"date":"2025-10-19T20:03:00","date_gmt":"2025-10-20T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4825"},"modified":"2025-10-20T10:31:35","modified_gmt":"2025-10-20T14:31:35","slug":"improve-entra-id-security-more-quickly","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4825","title":{"rendered":"Improve Entra ID Security More Quickly"},"content":{"rendered":"\n<p>At BSides Northern Virginia (<a href=\"https:\/\/www.bsidesnova.org\/\" data-type=\"link\" data-id=\"https:\/\/www.bsidesnova.org\/\">BSides NoVa<\/a>) in October 2025, I presented a talk on <a href=\"https:\/\/bsidesnova-2025.sessionize.com\/session\/997515\" data-type=\"link\" data-id=\"https:\/\/bsidesnova-2025.sessionize.com\/session\/997515\">how to improve Entra ID security quickly<\/a>. This post captures the key information from <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/2025-BSidesNOVA-SecuringEntraID-Metcalf-Final.pdf\" data-type=\"link\" data-id=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/2025-BSidesNOVA-SecuringEntraID-Metcalf-Final.pdf\">my talk slides<\/a>.<\/p>\n\n\n\n<p>This article describes the Entra ID settings and configuration that should be set to improve security including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User Default Configurations<\/li>\n\n\n\n<li>Guest Defaults<\/li>\n\n\n\n<li>User Applications Consent and Permissions<\/li>\n\n\n\n<li>Secure Entra ID roles<\/li>\n\n\n\n<li>Privileged Role Membership Protection<\/li>\n\n\n\n<li>Role Assignable Group Configurations<\/li>\n\n\n\n<li>Highly Privileged Applications<\/li>\n\n\n\n<li>Conditional Access Policies<\/li>\n\n\n\n<li>Partner Access<\/li>\n\n\n\n<li>Securing Entra Connect<\/li>\n\n\n\n<li>Secure Entra ID Quickly Checklist<\/li>\n<\/ul>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">User Default Configurations<\/h2>\n\n\n\n<p><br>Users are able to register applications and create new tenants by default. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"395\" height=\"181\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-10.png\" alt=\"\" class=\"wp-image-4832\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-10.png 395w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-10-300x137.png 300w\" sizes=\"auto, (max-width: 395px) 100vw, 395px\" \/><\/figure>\n\n\n\n<p><br>These settings should be changed as shown in the below screenshot.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"417\" height=\"111\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-11.png\" alt=\"\" class=\"wp-image-4833\" style=\"width:417px;height:auto\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-11.png 417w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-11-300x80.png 300w\" sizes=\"auto, (max-width: 417px) 100vw, 417px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>User Defaults Actions:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set &#8220;Users can register applications&#8221; from Yes to No<\/li>\n\n\n\n<li>Set &#8220;Restrict non-admin users from creating tenants&#8221; from No to Yes.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">User Device Setting Defaults<\/h2>\n\n\n\n<p>Users have the default ability to Entra join devices without requiring MFA.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"697\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-9-1024x697.png\" alt=\"\" class=\"wp-image-4831\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-9-1024x697.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-9-300x204.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-9-768x523.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-9-823x560.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-9.png 1333w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>User Device Setting Actions:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set &#8220;Users may join devices to Microsoft Entra&#8221; to &#8220;Selected&#8221; and add a group that is allowed to join devices to Entra.<\/li>\n\n\n\n<li>Either configure a Conditional Access policy to require MFA when joining devices to Entra or set the configuration &#8220;Require Multifactor Authentication to register or join devices with Microsoft Entra&#8221; to &#8220;Yes&#8221;.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Guest Defaults<\/h2>\n\n\n\n<p>Guest users have the same ability to view Entra ID <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"196\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7-1024x196.png\" alt=\"\" class=\"wp-image-4829\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7-1024x196.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7-300x57.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7-768x147.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7-1536x294.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7-823x158.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-7.png 1869w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><br>This setting should be changed as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"199\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8-1024x199.png\" alt=\"\" class=\"wp-image-4830\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8-1024x199.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8-300x58.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8-768x150.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8-1536x299.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8-823x160.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-8.png 1879w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Guest Defaults Actions:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Change the Guest user access restrictions from &#8220;Guest users have the same access as members (most inclusive)&#8221; to &#8220;Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)&#8221;.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">User Application Consent and Permission Defaults<\/h2>\n\n\n\n<p>Originally in Azure AD\/Entra ID, users had default rights to consent to permissions. This configuration persist in many current environments.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"321\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12-1024x321.png\" alt=\"\" class=\"wp-image-4835\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12-1024x321.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12-300x94.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12-768x241.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12-1536x481.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12-823x258.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-12.png 1810w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><br>This has changed to the following options that are available now.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"355\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-13-1024x355.png\" alt=\"\" class=\"wp-image-4836\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-13-1024x355.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-13-300x104.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-13-768x266.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-13-823x286.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-13.png 1026w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>User Application Consent and Permission Recommendations<\/strong>:<\/p>\n\n\n\n<p>Set user consent for applications to either &#8220;Allow user consent for apps from verified publishers, for selected permissions&#8221; or the better option which is &#8220;Let Microsoft manage your consent settings (Recommended).&#8221;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"332\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14-1024x332.png\" alt=\"\" class=\"wp-image-4837\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14-1024x332.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14-300x97.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14-768x249.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14-1536x499.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14-823x267.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-14.png 1968w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Entra ID Roles<\/h2>\n\n\n\n<p>There are 117 Entra ID roles (as of October 2025). This makes it challenging to know what to protect and at what level.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"1024\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-17-541x1024.png\" alt=\"\" class=\"wp-image-4842\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-17-541x1024.png 541w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-17-158x300.png 158w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-17.png 594w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Microsoft has tagged 28 roles as &#8220;<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference\">Privileged<\/a>&#8220;. These roles should be protected, though not at the same level. For example, Global Reader isn&#8217;t the same as the Global Administrator role and the level of protection for accounts in Global Administrator should be higher than that of Global Reader.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"921\" height=\"473\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-18.png\" alt=\"\" class=\"wp-image-4843\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-18.png 921w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-18-300x154.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-18-768x394.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-18-823x423.png 823w\" sizes=\"auto, (max-width: 921px) 100vw, 921px\" \/><\/figure>\n\n\n\n<p><br>The Microsoft Entra roles marked as privileged that should be a higher priority for protection are bolded here:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"513\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40-1024x513.png\" alt=\"\" class=\"wp-image-4902\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40-1024x513.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40-300x150.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40-768x385.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40-1536x769.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40-823x412.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-40.png 1653w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tier 0 Entra ID Roles<\/h2>\n\n\n\n<p>There are five (5) roles that should be protected at the highest level (like Tier 0). <br>Ensure that members of these roles are required to always use MFA (preferably FIDO2) and the membership is very limited. I have presented on these <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/08\/2024-BSidesCharm-MicrosoftIdentitySecurity-Metcalf-FINAL.pdf\" data-type=\"link\" data-id=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/08\/2024-BSidesCharm-MicrosoftIdentitySecurity-Metcalf-FINAL.pdf\">before<\/a>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#global-administrator\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#global-administrator\">Global Administrator<\/a><\/strong>\n<ul class=\"wp-block-list\">\n<li>Full admin rights to the Entra ID, Microsoft 365, and 1-click full control of all Azure subscriptions<\/li>\n\n\n\n<li><a href=\"https:\/\/www.hub.trimarcsecurity.com\/post\/from-azure-ad-to-active-directory-via-azure-an-unanticipated-attack-path\">From Azure AD to Active Directory (via Azure) \u2013 An Unanticipated Attack Path (2020)<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#hybrid-identity-administrator\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#hybrid-identity-administrator\">Hybrid Identity Administrator<\/a><\/strong>\n<ul class=\"wp-block-list\">\n<li><em>\u201cCan create, manage and deploy provisioning configuration setup from Active Directory to Microsoft Entra ID using Cloud Provisioning as well as manage Microsoft Entra Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single Sign-On (Seamless SSO), and <\/em><a href=\"https:\/\/medium.com\/tenable-techblog\/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360\" data-type=\"link\" data-id=\"https:\/\/medium.com\/tenable-techblog\/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360\">federation settings<\/a><em>.\u201d<\/em><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#partner-tier2-support\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#partner-tier2-support\">Partner Tier2 Support<\/a><\/strong>\n<ul class=\"wp-block-list\">\n<li> <em>\u201cThe Partner Tier2 Support role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). \u201c<\/em><\/li>\n\n\n\n<li><em>\u201cnot quite as powerful as Global Admin, but the role does allow a principal with the role to promote themselves or any other principal to Global Admin.\u201d<\/em> &#8211; <a href=\"https:\/\/posts.specterops.io\/the-most-dangerous-entra-role-youve-probably-never-heard-of-e00ea08b8661\">The Most Dangerous Entra Role You\u2019ve (Probably) Never Heard Of<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#privileged-authentication-administrator\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#privileged-authentication-administrator\">Privileged Authentication Administrator<\/a><\/strong>\n<ul class=\"wp-block-list\">\n<li><em>Microsoft: \u201cdo not use.\u201d<\/em><\/li>\n\n\n\n<li><em>\u201cSet or reset any authentication method (including passwords) for any user, including Global Administrators. \u2026<\/em> <em>Force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke remember MFA on the device, prompting for MFA on the next sign-in of all users.\u201d<\/em><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#privileged-role-administrator\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#privileged-role-administrator\">Privileged Role Administrator<\/a><\/strong>\n<ul class=\"wp-block-list\">\n<li><em>\u201cUsers with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management. \u2026<\/em> <em>This role grants the ability to manage assignments for all Microsoft Entra roles including the Global Administrator role. \u201c<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Privileged Role Membership<\/h2>\n\n\n\n<p><strong>Ensure there are no standard user accounts as members in highly privileged roles.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"429\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-19.png\" alt=\"\" class=\"wp-image-4846\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-19.png 979w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-19-300x131.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-19-768x337.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-19-823x361.png 823w\" sizes=\"auto, (max-width: 979px) 100vw, 979px\" \/><\/figure>\n\n\n\n<p><br><strong>Ensure that role members are eligible, not permanent.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"856\" height=\"381\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-20.png\" alt=\"\" class=\"wp-image-4847\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-20.png 856w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-20-300x134.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-20-768x342.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-20-823x366.png 823w\" sizes=\"auto, (max-width: 856px) 100vw, 856px\" \/><\/figure>\n\n\n\n<p><br><strong>Ensure that members are required to use MFA.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"147\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22-1024x147.png\" alt=\"\" class=\"wp-image-4849\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22-1024x147.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22-300x43.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22-768x110.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22-1536x221.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22-823x118.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-22.png 1893w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Role Assignable Groups (RAGs)<\/h2>\n\n\n\n<p>Role Assignable Groups are Security or Microsoft 365 group with the isAssignableToRole property set to true and cannot be dynamic. They were created to solve the potential issue where groups are added to an Entra ID role and a group admin could modify membership. Only Global Administrators or Privileged Role Administrators can create Role Assignable Groups and manage them (membership). Role Assignable Group owners can manage them. There is an application permission (Graph:RoleManagement.ReadWrite.Directory)&nbsp;that provides management rights as well. There is a 500 role-assignable groups maximum in an Entra ID tenant (creation maximum). Only a Privileged Authentication Administrator or a Global Administrator can change the credentials or reset MFA or modify sensitive attributes for members &amp; owners of a role-assignable group.<\/p>\n\n\n\n<p><strong>Group Nesting in Entra ID<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"953\" height=\"412\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-23.png\" alt=\"\" class=\"wp-image-4852\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-23.png 953w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-23-300x130.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-23-768x332.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-23-823x356.png 823w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"806\" height=\"315\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-24.png\" alt=\"\" class=\"wp-image-4853\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-24.png 806w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-24-300x117.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-24-768x300.png 768w\" sizes=\"auto, (max-width: 806px) 100vw, 806px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Role Assignable Group Owners<\/strong><br>The owners configured on a role assignable group are able to manage the membership of the group. Ensure that the owners are admin accounts and protected at the same level as the role the role assignable group is a member of.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"980\" height=\"251\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-25.png\" alt=\"\" class=\"wp-image-4854\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-25.png 980w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-25-300x77.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-25-768x197.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-25-823x211.png 823w\" sizes=\"auto, (max-width: 980px) 100vw, 980px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Highly Privileged Applications<\/h2>\n\n\n\n<p>The permission structure for Entra ID permissions:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"298\" height=\"25\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-28.png\" alt=\"\" class=\"wp-image-4859\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"312\" height=\"299\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-29.png\" alt=\"\" class=\"wp-image-4860\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-29.png 312w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-29-300x288.png 300w\" sizes=\"auto, (max-width: 312px) 100vw, 312px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tier 0 Applications<\/h2>\n\n\n\n<p>These applications have effective full administrative rights or capability to gain full administrative rights to Entra ID. Limit applications that have these permissions. Back in 2021, I highlighted the <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/08\/TEC2021-Metcalf-HardeningAzureADSecurity.pdf\" data-type=\"link\" data-id=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/08\/TEC2021-Metcalf-HardeningAzureADSecurity.pdf\">most concerning application permissions<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#directoryreadwriteall\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#directoryreadwriteall\">Directory.ReadWrite.All<\/a>\n<ul class=\"wp-block-list\">\n<li>\u201cDirectory.ReadWrite.All grants access that is broadly equivalent to a global tenant admin.\u201d *<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#approleassignmentreadwriteall\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#approleassignmentreadwriteall\">AppRoleAssignment.ReadWrite.All<\/a>\n<ul class=\"wp-block-list\">\n<li>Allows the app to manage permission grants for application permissions to any API &amp; application assignments for any app, on behalf of the signed-in user. <strong>This also allows an application to grant additional privileges to itself, other applications, or any user.<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#rolemanagementreadwritedirectory\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#rolemanagementreadwritedirectory\">RoleManagement.ReadWrite.Directory<\/a>\n<ul class=\"wp-block-list\">\n<li>Allows the app to read &amp; manage the role-based access control (RBAC) settings for the tenant, without a signed-in user. This includes instantiating directory roles &amp; <strong>managing directory role membership<\/strong>, and reading directory role templates, directory roles and memberships.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><em><a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#applicationreadwriteall\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/graph\/permissions-reference#applicationreadwriteall\">Application.ReadWrite.All<\/a><\/em>\n<ul class=\"wp-block-list\">\n<li>Allows the calling app to create, &amp; manage (read, update, update application secrets and delete) applications &amp; service principals without a signed-in user. This also allows an application to act as other entities &amp; use the privileges they were granted.<\/li>\n\n\n\n<li>This application permission is Tier 0 when there is at least 1 application that is Tier 0. Then this permission provides an application the ability to add a credential to that application and impersonate it.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Entra ID with Conditional Access Policies<\/h2>\n\n\n\n<p>Conditional Access policies apply after first-factor authentication (user name and password). This requires Entra P1 licensing. Conditional Access takes action based on Who is connecting, Where are they connecting from, What app and\/or device to which or from which the connection is taking place, and When this applies.<\/p>\n\n\n\n<p>There are some common Conditional Access policies:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"368\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32-1024x368.png\" alt=\"\" class=\"wp-image-4864\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32-1024x368.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32-300x108.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32-768x276.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32-1536x551.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32-823x295.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-32.png 1688w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>With these typical Conditional Access policies, there are common coverage gaps.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">CA Policy Gap #1: \u000bUsers Require MFA Outside of Corp Network<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CAP requires users to MFA when they are working remotely (not on the corporate network or connected via VPN)<\/li>\n\n\n\n<li>Assumes no attacker would be on the corporate network<\/li>\n\n\n\n<li>Attacker can use username\/password without having to MFA<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">CA Policy Gap #2: \u000bAdmins don\u2019t require MFA<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MFA is required for certain users to access specific applications<\/li>\n\n\n\n<li>However, there is no CAP that requires MFA for Admins<\/li>\n\n\n\n<li>Or\u2026 CAP only requires members of a few roles use MFA<\/li>\n\n\n\n<li>Attacker can use username\/password without having to MFA<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">CA Policy Gap #3: \u000bExclusions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CAP includes several security controls\n<ul class=\"wp-block-list\">\n<li>MFA required<\/li>\n\n\n\n<li>AAD Joined &amp;Compliant device<\/li>\n\n\n\n<li>Location based access<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>However, there are exclusions:\n<ul class=\"wp-block-list\">\n<li>Admins<\/li>\n\n\n\n<li>VIPs<\/li>\n\n\n\n<li>Executives<\/li>\n\n\n\n<li>HR<\/li>\n\n\n\n<li>Etc<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>This creates a significant gap in security posture<\/li>\n\n\n\n<li>Attackers love being excluded from security controls!<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/managed-policies\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/managed-policies\">Microsoft Managed Policies (MMP)<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deployed automatically in reporting mode<\/li>\n\n\n\n<li>Modification is limited:\n<ul class=\"wp-block-list\">\n<li>Exclude users<\/li>\n\n\n\n<li>Turn on or set to Report-only mode<\/li>\n\n\n\n<li>Can&#8217;t rename or delete any Microsoft-managed policies<\/li>\n\n\n\n<li>Can duplicate the policy to make custom versions<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Microsoft might update these policies in the future<\/li>\n\n\n\n<li>MMPs turn on (set to enabled) 90 days after introduced to the tenant<\/li>\n\n\n\n<li>Currently focuses on 3 areas:\n<ul class=\"wp-block-list\">\n<li>MFA for admins accessing Microsoft Admin Portals<\/li>\n\n\n\n<li>MFA for per-user MFA configured on users<\/li>\n\n\n\n<li>MFA and reauthentication for risky sign-ins<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Conditional Access Policies<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Require MFA for accounts with administrative roles (preferably FIDO2)<\/li>\n\n\n\n<li>Block legacy authentication (username &amp; password authentication)<\/li>\n\n\n\n<li>Block location by geography<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/policy-block-authentication-flows\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/policy-block-authentication-flows\">Block device code flow*<\/a><\/li>\n\n\n\n<li>Enforce device compliance on all devices<\/li>\n\n\n\n<li>Restrict access to apps by location<\/li>\n\n\n\n<li>Require MFA for guest users<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Partner Relationships \u2013 aka <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/users\/directory-delegated-administration-primer\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/users\/directory-delegated-administration-primer\">Delegated Administration<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A configured partner can have admin rights to a customer tenant (\u201cdelegated administration\u201d).<\/li>\n\n\n\n<li>This is provided when the partner requests access to the customer environment.<\/li>\n\n\n\n<li>When the customer accepts this request:\n<ul class=\"wp-block-list\">\n<li>\u201cAdmin agent\u201d role in partner tenant is provided effective \u201cGlobal Administrator\u201d rights to customer tenant.<\/li>\n\n\n\n<li>\u201cHelpdesk Agent&#8221; role in partner tenant is provided effective &#8220;Helpdesk Administrator&#8221; (Password Administrator) rights to customer tenant.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>These are the only options.<\/li>\n\n\n\n<li>They apply to all customer environments \u2013 there is no granular configuration.<\/li>\n\n\n\n<li>A partner with dozens of customers will result in all partner accounts in these groups having elevated rights in all customer environments.\u000b\u000bShift to granular delegated admin privileges (GDAP) ASAP!<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>Check Partner Configuration for your tenant here:<br><a href=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/ActiveDirectoryMenuBlade\/~\/PartnerRelationships\" data-type=\"link\" data-id=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/ActiveDirectoryMenuBlade\/~\/PartnerRelationships\">https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/ActiveDirectoryMenuBlade\/~\/PartnerRelationships <\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/partner-center\/gdap-introduction\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/partner-center\/gdap-introduction\">Granular Delegated Admin Privileges (GDAP)<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"937\" height=\"842\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-33.png\" alt=\"\" class=\"wp-image-4866\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-33.png 937w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-33-300x270.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-33-768x690.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-33-823x740.png 823w\" sizes=\"auto, (max-width: 937px) 100vw, 937px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Entra Connect<\/h2>\n\n\n\n<p><strong>Compromising Entra Connect:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compromise Active Directory<\/li>\n\n\n\n<li>Get admin rights on Entra Connect server (or SQL db)\n<ul class=\"wp-block-list\">\n<li>OU admin rights<\/li>\n\n\n\n<li>Local admin rights<\/li>\n\n\n\n<li>GPO modify rights<\/li>\n\n\n\n<li>Get local admin password on other systems (when not unique)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Gain control of management system\n<ul class=\"wp-block-list\">\n<li>Microsoft SCCM (or similar)<\/li>\n\n\n\n<li>Vulnerability scanner<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Compromise VMware (or other virtual platform)<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>From Entra Connect to Active Directory<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"608\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-34-1024x608.png\" alt=\"\" class=\"wp-image-4870\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-34-1024x608.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-34-300x178.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-34-768x456.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-34-823x489.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-34.png 1054w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>From Entra Connect to Entra ID<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"474\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-35-1024x474.png\" alt=\"\" class=\"wp-image-4871\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-35-1024x474.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-35-300x139.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-35-768x355.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-35-823x381.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-35.png 1392w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Defending Entra Connect<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat the Entra Connect server, SQL server\/database, &amp; service account as Tier 0 (like Domain Controllers).<\/li>\n\n\n\n<li>Ensure that the Entra Connect server &amp; SQL server\/database is in a top-level admin OU.<\/li>\n\n\n\n<li>Limit the group policies that apply to Entra Connect related systems.<\/li>\n\n\n\n<li>Restrict local admin rights on Entra Connect related systems.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Securing Seamless Single Sign-On (SSSO)<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"420\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36-1024x420.png\" alt=\"\" class=\"wp-image-4874\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36-1024x420.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36-300x123.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36-768x315.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36-1536x631.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36-823x338.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-36.png 1810w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><a href=\"https:\/\/www.dsinternals.com\/en\/impersonating-office-365-users-mimikatz\/\" data-type=\"link\" data-id=\"https:\/\/www.dsinternals.com\/en\/impersonating-office-365-users-mimikatz\/\">Attacking Azure AD Seamless Single Sign-On<\/a><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed by Azure AD Connect<\/li>\n\n\n\n<li>\u201cAzure AD exposes a publicly available endpoint that accepts Kerberos tickets and translates them into SAML and JWT tokens\u201d<\/li>\n\n\n\n<li>Compromise the Azure AD Seamless SSO Computer Account password hash (\u201cAZUREADSSOACC \u201c)<\/li>\n\n\n\n<li>Generate a Silver Ticket for the user you want to impersonate and the service \u2018aadg.windows.net.nsatc.net \u2018<\/li>\n\n\n\n<li>Inject this ticket into the local Kerberos cache<\/li>\n\n\n\n<li>Azure AD Seamless SSO computer account password doesn\u2019t change<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Securing Seamless Single Sign-On (SSSO)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For Windows 10, Windows Server 2016, and later versions, it\u2019s recommended to use SSO via primary refresh token (PRT).<\/li>\n\n\n\n<li>For Windows 7 and Windows 8.1, it\u2019s recommended to use Seamless SSO<\/li>\n\n\n\n<li>Ensure the Azure AD Seamless Single Sign-On key (password) changes several times a year.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Securing Microsoft Pass-Through Authentication (PTA)<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"453\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37-1024x453.png\" alt=\"\" class=\"wp-image-4876\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37-1024x453.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37-300x133.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37-768x340.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37-1536x679.png 1536w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37-823x364.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-37.png 1640w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><a href=\"https:\/\/blog.xpnsec.com\/azuread-connect-for-redteam\/\" data-type=\"link\" data-id=\"https:\/\/blog.xpnsec.com\/azuread-connect-for-redteam\/\">Attacking Microsoft PTA<\/a><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed by Azure AD Connect<\/li>\n\n\n\n<li>Compromise server hosting PTA (typically Entra Connect server)<\/li>\n\n\n\n<li>Entra ID sends the clear-text password (not hashed!) to authenticate the user.<\/li>\n\n\n\n<li>Inject DLL to compromise credentials used for PTA<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Securing Pass Through Authentication (PTA)<\/strong><\/p>\n\n\n\n<p>Treat Entra Connect as a Tier 0 asset (like a Domain Controller)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Entra ID Quickly Checklist<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set \u201cUsers can register applications\u201d to No<\/li>\n\n\n\n<li>Set \u201cRestrict non-admin users from creating tenants\u201d to Yes<\/li>\n\n\n\n<li>Set \u201cUsers can create security groups\u201d to No<\/li>\n\n\n\n<li>Set Guest user access restrictions to \u201cGuest user access is restricted to properties and memberships of their own directory objects (most restrictive)\u201d<\/li>\n\n\n\n<li>Restrict who can join devices to Microsoft Entra &amp; require MFA<\/li>\n\n\n\n<li>Set Guest invite settings to \u201cOnly users assigned to specific admin roles can invite guest users\u201d<\/li>\n\n\n\n<li>Set User consent settings to \u201cLet Microsoft manage your consent settings (Recommended)\u201d<\/li>\n\n\n\n<li>Review Tier 0 role membership and ensure members are admin accounts, are PIM Eligible, &amp; are not synchronized from on-prem<\/li>\n\n\n\n<li>If you\u2019re using Role Assignable Groups, ensure Owners are not set on Tier 0 roles<\/li>\n\n\n\n<li>Scrutinize any applications with Tier 0 Application permissions<\/li>\n\n\n\n<li>Ensure that Conditional Access requires MFA for Tier 0 role members for every authentication, preferably FIDO2\/Microsoft Authenticator push (service accounts &amp; service principles excepted).<\/li>\n\n\n\n<li>Remove any standard Delegated Administration and shift to Granular Delegated Admin Privileges (GDAP)<\/li>\n\n\n\n<li>Treat Entra Connect as a Tier 0 asset (like a Domain Controller)<\/li>\n\n\n\n<li>Ensure Cloud Admins are using a separate browser for admin activities (minimum) or connecting to a dedicated cloud admin server (recommended)<\/li>\n\n\n\n<li>Ensure there is at least 1 emergency access admin account configured with a FIDO2 key(s).<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/pyrotek.io\/EntraIDSecurityList\" data-type=\"link\" data-id=\"https:\/\/pyrotek.io\/EntraIDSecurityList\">Sean\u2019s Entra ID Security List on Twitter\/X<\/a><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"372\" height=\"362\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-39.png\" alt=\"\" class=\"wp-image-4884\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-39.png 372w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-39-300x292.png 300w\" sizes=\"auto, (max-width: 372px) 100vw, 372px\" \/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>At BSides Northern Virginia (BSides NoVa) in October 2025, I presented a talk on how to improve Entra ID security quickly. This post captures the key information from my talk slides. This article describes the Entra ID settings and configuration that should be set to improve security including:<\/p><p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=4825\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1536,11,2],"tags":[1453,1537,1546,1545],"class_list":["post-4825","post","type-post","status-publish","format-standard","hentry","category-entra-id-security","category-microsoft-security","category-technical-reference","tag-entraid","tag-entraidsecurity","tag-guestdefaults","tag-userdefaults","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4825"}],"version-history":[{"count":28,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4825\/revisions"}],"predecessor-version":[{"id":4903,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4825\/revisions\/4903"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}