Protect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server

We are excited to announce a new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing commitment to expanding Defender for Identity’s coverage across hybrid identity environments. It reinforces our vision of overseeing and protecting the entire identity fabric, greatly enhancing the SOC’s visibility and protections for these complex environments.

 

Identities are one of, if not the most targeted attack vector and cyber-criminals are always evolving their strategies to exploit new vulnerabilities or gaps in protection. Many organizations today manage hybrid identity environments, with an on-premises Active Directory footprint along with a deployment of Entra ID in the cloud. The gaps between these two elements present ample opportunities for bad actors and as the primary bridge between them, Entra Connect servers can be classified as tier-0 level assets.  

 

To stay ahead of emerging threats and deliver powerful security solutions, our team is continuously evolving and updating our offerings, and the primary objective of this new sensor is to help our customers better prevent, detect, and remediate credential theft and privilege escalation attacks commonly initiated against Entra Connect.

 

What is Entra Connect? What security value does the new sensor provide?

Entra Connect (previously known as Azure AD Connect or AAD Connect) is a Microsoft service used to synchronize on-premises Active Directory environments with Entra ID (formerly Azure Active Directory). Entra Connect facilitates identity management and provides single sign-on capabilities for users across on-premises and cloud resources by creating a common identity. This synchronization is essential for maintaining consistent and secure access across different platforms.

The new Microsoft Defender for Identity sensor for Entra Connect servers provides comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, offering crucial insights into potential security threats and unusual activities. With this enhanced visibility across hybrid identity environments Defender for Identity can now provide new Entra Connect specific security alerts and posture recommendations, as detailed below.

Entra Connect sensor on Identities Settings page

 

New Detections (in Public Preview):

Suspicious Interactive Logon to the Entra Connect Server:

Direct logins to Entra Connect servers are highly unusual and potentially malicious. Attackers often target these servers to steal credentials for broader network access. Microsoft Defender for Identity can now detect abnormal logins to Entra Connect servers, helping you identify and respond to these potential threats faster. It is specifically applicable when the Entra Connect server is a standalone server and not operating as a Domain Controller.

• Pre-requisite: Ensure that the 4624 logon event is enabled on the Entra Connect server. This step is necessary only if the Entra Connect server is not functioning as a Domain Controller.

User Password Reset by Entra Connect Account:
The Entra Connect connector account often holds high privileges, including the ability to reset user’s passwords. Microsoft Defender for Identity now has visibility into those actions and will detect any usage of those permissions that were identified as malicious and non-legitimate. This alert will be triggered only if the password writeback feature is disabled.

Suspicious writeback by Entra Connect on a sensitive user:

While Entra Connect already prevents writeback for users in privileged groups, Microsoft Defender for Identity expands this protection by identifying additional types of sensitive accounts. This enhanced detection helps prevent unauthorized password resets on critical accounts, which can be a crucial step in advanced attacks targeting both cloud and on-premises environments.

 

Additional improvements and capabilities:

• New activity of any failed password reset on a sensitive account available in the ‘IdentityDirectoryEvents’ table in Advanced Hunting. This can help customers track failed password reset events and create custom detection based on this data.
• Enhanced accuracy for the DC sync attack detection.
• New health alert for cases where the sensor is unable to retrieve the configuration from the Entra Connect service.
• Extended monitoring for security alerts, such as PowerShell Remote Execution Detector, by enabling the new sensor on Entra Connect servers.

 

New posture recommendations in Microsoft Secure Score (Identity security assessment):

Rotate password for Entra Connect connector account:
A compromised Entra Connect connector account (AD DS connector account, commonly shown as MSOL_XXXXXXXX) can grant access to high-privilege functions like replication and password resets, allowing attackers to modify synchronization settings and compromise security in both cloud and on-premises environments as well as offering several paths for compromising the entire domain. In this assessment we recommend customers change the password of MSOL accounts with the password last set over 90 days ago.

Remove unnecessary replication permissions for Entra Connect Account:
By default, the Entra Connect connector account has extensive permissions to ensure proper synchronization (even if they are not actually required). If Password Hash Sync is not configured, it’s important to remove unnecessary permissions to reduce the potential attack surface.

Change password for Entra seamless SSO account configuration:
This report lists all Entra seamless SSO computer accounts with password last set over 90 days ago. The password for the Azure SSO computer account is not automatically changed every 30 days. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Entra ID.

Remove Resource Based Constrained Delegation for Entra seamless SSO account:
If resource-based constrained delegation is configured on the AZUREADSSOACC computer account, an account with the delegation would be able to generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Entra tenant that is synchronized from AD.

All new recommendations require a sensor installed on servers running Entra Connect services.
The recommendations related to the Entra seamless SSO account will be available only if Defender for Identity can detect this type of computer account, while the recommendations related to the connector account will be available if our sensor recognized a retrieve configuration data from the Entra Connect services.

New Entra Connect recommendations in Microsoft Secure Score

 

As cyber threats become more sophisticated, the need for advanced security solutions is more pressing than ever. The new sensor for Entra Connect Server within Microsoft Defender for Identity represents a significant advancement in protecting and detecting threats within the identity fabric. By adopting this powerful tool, organizations can enhance their security posture, safeguard their identity infrastructure, and maintain the trust of their users.

We highly recommend customers install a sensor on any Domain controller, AD CS, AD FS, or Entra Connect servers. In the upcoming weeks, our team will delve deeper into potential enhancements for the Entra Connect support to better help organizations stay secure and protected.

Learn more about the new sensor in our documentation here and stay tuned for more updates and insights on how MDI continues to innovate in the realm of cybersecurity, ensuring that your organization remains secure in an ever-changing digital world.