The Microsoft Incident Response team has observed common misconfigurations for Microsoft Entra ID across various industry verticals.
In their recent post, they present details on the common misconfigurations observed in their engagements and provide guidance on how to properly configure Microsoft Entra ID to remove risks and harden environments against cyberattacks.
For example:
- Accounts that are used to administer Microsoft Entra ID should be native to Microsoft Entra ID and not synced from on-premises Active Directory
- Any account that holds privilege in on-premises Active Directory, such as Domain Administrators and the respective groups such as Domain Admins, should be completely excluded from being synced to Microsoft Entra ID
- To remove the attack vector of direct phishing attempts, users that hold privilege in Microsoft Entra ID should not have a mailbox assigned
For over 100+ recommendations on how to best configure your Entra ID, visit:
- Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2023/12/05/microsoft-incident-response-lessons-on-preventing-cloud-identity-compromise/
kurtsh
Kurt Shintaku's Blog 