Indicators of Exposure

Dynamic Objects Misconfiguration and Usage

Medium Severity

Name

Dynamic Objects Misconfiguration and Usage

Description

Detects dynamic objects and insecure configuration related to them.

BadSuccessor Dangerous dMSA Permissions

Critical Severity

Name

BadSuccessor Dangerous dMSA Permissions

Description

BadSuccessor is an Active Directory privilege escalation flaw in Windows Server 2025 that exploits dMSAs, allowing attackers to manipulate account links and potentially compromise the domain.

Non-Essential Group

Low Severity

Name

Non-Essential Group

Description

Verifies that no group is empty or contains only a single member.

Sensitive Exchange Permissions

Critical Severity

Name

Sensitive Exchange Permissions

Description

Identify potentially unsafe permissions that impact Exchange resources or are assigned to Exchange groups.

Unsupported or Outdated Exchange Servers

High Severity

Name

Unsupported or Outdated Exchange Servers

Description

Detects outdated Exchange servers that Microsoft no longer supports as well as those missing the latest Cumulative Updates.

Exchange Dangerous Misconfigurations

High Severity

Name

Exchange Dangerous Misconfigurations

Description

Lists misconfigurations that impact Exchange resources or its underlying Active Directory schema objects.

Hybrid Entra ID Information

Low Severity

Name

Hybrid Entra ID Information

Description

Collects information such as hybrid users and computers from the on-premises Active Directory environment about resources synchronized with Microsoft Entra ID.

Exchange Group Members

High Severity

Name

Exchange Group Members

Description

Unusual accounts in sensitive Exchange groups

Service Accounts Misconfigurations

Medium Severity

Name

Service Accounts Misconfigurations

Description

Shows potential misconfigurations of domain service accounts.

Conflicting Security Principals

Low Severity

Name

Conflicting Security Principals

Description

Checks that there are no duplicated (conflicting) users, computers, or groups.

Shadow Credentials

High Severity

Name

Shadow Credentials

Description

Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials.

Enabled Guest Account

Low Severity

Name

Enabled Guest Account

Description

Checks that the built-in guest account is disabled.

Managed Service Accounts Dangerous Misconfigurations

High Severity

Name

Managed Service Accounts Dangerous Misconfigurations

Description

Ensures Managed Service Accounts (MSAs) are deployed and well configured.

Privileged AD User Accounts Synchronized to Microsoft Entra ID

High Severity

Name

Privileged AD User Accounts Synchronized to Microsoft Entra ID

Description

Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

Privileged Authentication Silo Configuration

High Severity

Name

Privileged Authentication Silo Configuration

Description

A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

Unsecure Dynamic DNS Zone Updates Allowed

High Severity

Name

Unsecure Dynamic DNS Zone Updates Allowed

Description

Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates.

WSUS Dangerous Misconfigurations

Critical Severity

Name

WSUS Dangerous Misconfigurations

Description

Lists the misconfigured parameters related to Windows Server Update Services (WSUS).

Property Sets Integrity

Medium Severity

Name

Property Sets Integrity

Description

Checks for the integrity of property sets and validates permissions

Dangerous SYSVOL Replication Configuration

Medium Severity

Name

Dangerous SYSVOL Replication Configuration

Description

Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS).

Detection of Password Weaknesses

High Severity

Name

Detection of Password Weaknesses

Description

Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts.

Insufficient Hardening Against Ransomware

Medium Severity

Name

Insufficient Hardening Against Ransomware

Description

Ensures that the domain implemented hardening measures to protect against ransomware.

ADCS Dangerous Misconfigurations

Critical Severity

Name

ADCS Dangerous Misconfigurations

Description

List dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI).

GPO Execution Sanity

High Severity

Name

GPO Execution Sanity

Description

Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane.

Logon Restrictions for Privileged Users

High Severity

Name

Logon Restrictions for Privileged Users

Description

Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft.

Unsecured Configuration of Netlogon Protocol

Critical Severity

Name

Unsecured Configuration of Netlogon Protocol

Description

CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege

Vulnerable Credential Roaming Related Attributes

Low Severity

Name

Vulnerable Credential Roaming Related Attributes

Description

Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.

Potential Clear-Text Password

High Severity

Name

Potential Clear-Text Password

Description

Checks for objects containing potential clear-text passwords in attributes readable by domain users.

Dangerous Sensitive Privileges

High Severity

Name

Dangerous Sensitive Privileges

Description

Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure.

Mapped Certificates on Accounts

Critical Severity

Name

Mapped Certificates on Accounts

Description

Ensures there is no weak certificate mapping assigned to objects.

Domain Without Computer-Hardening GPOs

Medium Severity

Name

Domain Without Computer-Hardening GPOs

Description

Checks hardening GPOs have been deployed on the domain.

Protected Users Group Not Used

High Severity

Name

Protected Users Group Not Used

Description

Verifies for privileged users who are not members of the Protected Users group.

Account with Possible Empty Password

High Severity

Name

Account with Possible Empty Password

Description

Identifies user accounts that allow empty passwords.

Users Allowed to Join Computers to the Domain

Medium Severity

Name

Users Allowed to Join Computers to the Domain

Description

Verify that regular users cannot join external computers to the domain.

Last Change of the Microsoft Entra Seamless SSO Account Password

High Severity

Name

Last Change of the Microsoft Entra Seamless SSO Account Password

Description

Ensures regular changes to the Microsoft Entra Seamless SSO account password.

Dangerous Rights in the AD Schema

High Severity

Name

Dangerous Rights in the AD Schema

Description

Lists schema entries considered anomalous that could potentially offer a means of persistence.

User Account Using Old Password

Medium Severity

Name

User Account Using Old Password

Description

Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk.

Verify Permissions Related to Microsoft Entra Connect Accounts

Critical Severity

Name

Verify Permissions Related to Microsoft Entra Connect Accounts

Description

Ensure the permissions set on Microsoft Entra Connect accounts are sane

Domain Controllers Managed by Illegitimate Users

Critical Severity

Name

Domain Controllers Managed by Illegitimate Users

Description

Some domain controllers can be managed by non-administrative users due to dangerous access rights.

Application of Weak Password Policies on Users

Critical Severity

Name

Application of Weak Password Policies on Users

Description

Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft.

Verify Sensitive GPO Objects and Files Permissions

Critical Severity

Name

Verify Sensitive GPO Objects and Files Permissions

Description

Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure.

Domain with Unsafe Backward-Compatibility Configuration

Low Severity

Name

Domain with Unsafe Backward-Compatibility Configuration

Description

The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk.

Domains with an Outdated Functional Level

Medium Severity

Name

Domains with an Outdated Functional Level

Description

Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options.

Local Administrative Account Management

Medium Severity

Name

Local Administrative Account Management

Description

Ensures the secure and central management of local administrative accounts using LAPS.

Kerberos Configuration on User Account

Medium Severity

Name

Kerberos Configuration on User Account

Description

Detects accounts that use weak Kerberos configuration.

Root Objects Permissions Allowing DCSync-Like Attacks

Critical Severity

Name

Root Objects Permissions Allowing DCSync-Like Attacks

Description

Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials.

Accounts Using a Pre-Windows 2000 Compatible Access Control

High Severity

Name

Accounts Using a Pre-Windows 2000 Compatible Access Control

Description

Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures.

Disabled Accounts in Privileged Groups

Low Severity

Name

Disabled Accounts in Privileged Groups

Description

Accounts that are not used anymore should not stay in privileged groups.

Computers Running an Obsolete OS

High Severity

Name

Computers Running an Obsolete OS

Description

Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability.

Accounts With a Dangerous SID History Attribute

High Severity

Name

Accounts With a Dangerous SID History Attribute

Description

Checks user or computer accounts using a privileged SID in SID history attribute.

Use of Weak Cryptography Algorithms in Active Directory PKI

Critical Severity

Name

Use of Weak Cryptography Algorithms in Active Directory PKI

Description

Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI.

Recent Use of the Default Administrator Account

Medium Severity

Name

Recent Use of the Default Administrator Account

Description

Checks for recent uses of the built-in administrator account.

User Primary Group

Critical Severity

Name

User Primary Group

Description

Verify users' Primary Group has not been changed

Dangerous Kerberos Delegation

Critical Severity

Name

Dangerous Kerberos Delegation

Description

Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it.

Reversible Passwords

Medium Severity

Name

Reversible Passwords

Description

Verifies that the option to store passwords in a reversible format does not get enabled.

Reversible Passwords in GPO

Medium Severity

Name

Reversible Passwords in GPO

Description

Checks that GPO preferences do not allow passwords in a reversible format.

Ensure SDProp Consistency

Critical Severity

Name

Ensure SDProp Consistency

Description

Control that the AdminSDHolder object is in a clean state.

Last Password Change on KRBTGT account

High Severity

Name

Last Password Change on KRBTGT account

Description

Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval.

Native Administrative Group Members

Critical Severity

Name

Native Administrative Group Members

Description

Abnormal accounts in the native administrative groups of Active Directory

Privileged Accounts Running Kerberos Services

Critical Severity

Name

Privileged Accounts Running Kerberos Services

Description

Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security.

AdminCount Attribute Set on Standard Users

Medium Severity

Name

AdminCount Attribute Set on Standard Users

Description

Checks for the adminCount attribute on decommissioned accounts leading to permission issues that are difficult to manage.

Dormant Accounts

Medium Severity

Name

Dormant Accounts

Description

Detects unused dormant accounts that can lead to security risks.

Dangerous Trust Relationships

High Severity

Name

Dangerous Trust Relationships

Description

Identifies misconfigured trust relationship attributes that decrease the security of a directory infrastructure.

Accounts With Never Expiring Passwords

Medium Severity

Name

Accounts With Never Expiring Passwords

Description

Checks for accounts with the DONT_EXPIRE_PASSWORD property flag in the userAccountControl attribute that allows indefinite use of the same password, bypassing password renewal policies.

Unlinked, Disabled or Orphan GPO

Low Severity

Name

Unlinked, Disabled or Orphan GPO

Description

Unused or disabled GPOs slow directory performance and RSoP computation, and can lead to security policy confusion. Reactivating them by mistake can weaken existing policies.

Dangerous Application Permissions Affecting Data

Medium Severity

Name

Dangerous Application Permissions Affecting Data

Description

Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a threat to users' data that these services store.

Dynamic Group Featuring an Exploitable Rule

Medium Severity

Name

Dynamic Group Featuring an Exploitable Rule

Description

Attackers can exploit dynamic groups in Microsoft Entra ID by manipulating self-modifiable attributes, allowing them to add themselves as group members. This manipulation enables privilege escalation and unauthorized access to sensitive resources tied to the groups.

Empty Group

Low Severity

Name

Empty Group

Description

Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members.

Federated Domains List

Low Severity

Name

Federated Domains List

Description

Malicious federated domain configuration is a common threat, used by attackers as an authentication backdoor to the Entra ID tenant. Verifying existing and newly added federated domains is crucial to ensure their configurations are trustworthy and legitimate. This Indicator of Exposure provides a comprehensive list of federated domains and their relevant attributes to help you to make informed decisions about their security status.

Known Federated Domain Backdoor

Critical Severity

Name

Known Federated Domain Backdoor

Description

Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation.

Password Expiration Enforced

Low Severity

Name

Password Expiration Enforced

Description

Enforcing password expiration in Microsoft Entra ID domains can undermine security by prompting users to change passwords frequently, often leading to weak, predictable, or reused passwords that reduce overall account protection.

Privileged Account Naming Convention

Low Severity

Name

Privileged Account Naming Convention

Description

A naming convention for privileged users in Entra ID is crucial for security, standardization, audit compliance, and facilitates administration.

Privileged Entra Account Synchronized With AD (Hybrid)

High Severity

Name

Privileged Entra Account Synchronized With AD (Hybrid)

Description

Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts.

Unrestricted User Consent for Applications

Medium Severity

Name

Unrestricted User Consent for Applications

Description

Entra ID allows users to autonomously consent to external applications' access to organization's data, which attackers may exploit in "illicit consent grant" attacks. Prevent this by restricting access to verified publishers or requiring administrator approval.

Unverified Domain

Low Severity

Name

Unverified Domain

Description

You must confirm ownership of all custom domains in Entra ID. Keep unverified domains only temporarily - you should either verify or remove them to maintain a clean domain list and facilitate efficient reviews.

Dangerous Delegated Permissions Affecting Data

Medium Severity

Name

Dangerous Delegated Permissions Affecting Data

Description

Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on behalf of users (called "delegated permissions"). Certain permissions can pose a threat to users' data that these services store.

Entra Security Defaults Not Enabled

Medium Severity

Name

Entra Security Defaults Not Enabled

Description

Entra ID Security Defaults offer pre-configured, Microsoft-recommended settings to enhance tenant protection.

Guest Accounts With Equal Access to Normal Accounts

High Severity

Name

Guest Accounts With Equal Access to Normal Accounts

Description

It is not advisable to configure Entra ID to consider guests as regular users, as it may enable malicious guests to conduct comprehensive reconnaissance on the tenant's resources.

Managed Devices Not Required for MFA Registration

Medium Severity

Name

Managed Devices Not Required for MFA Registration

Description

Requiring managed devices for MFA registration makes it harder for attackers to register their rogue MFA, in case of stolen credentials, if they do not also have access to a managed device.

MFA Not Required for Risky Sign-Ins

High Severity

Name

MFA Not Required for Risky Sign-Ins

Description

MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you require MFA for risky sign-ins, for example when the authentication request may not come from the legitimate identity owner.

Missing MFA for Non-Privileged Account

Medium Severity

Name

Missing MFA for Non-Privileged Account

Description

MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it.

Never Used Privileged User

Medium Severity

Name

Never Used Privileged User

Description

Never used privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their potential default passwords make them prime targets for attackers.

Privileged Entra Account With Access to M365 Services

Medium Severity

Name

Privileged Entra Account With Access to M365 Services

Description

You should have separate Entra accounts for administrative tasks: one standard account for daily use and another privileged account limited specifically to administration activities. This approach reduces the attack surface of the privileged account.

Risky Users Without Enforcement

Medium Severity

Name

Risky Users Without Enforcement

Description

Block risky users to prevent unauthorized access and potential breaches. Security best practices recommend using Conditional Access Policies to stop vulnerable accounts from authenticating to Entra ID.

Unrestricted Guest Accounts

Medium Severity

Name

Unrestricted Guest Accounts

Description

By default, while guest users in Entra ID have limited access to reduce their visibility within the tenant, it is also possible to enhance security and privacy by further tightening these restrictions.

Unusual Federation Signing Certificate Validity Period

Medium Severity

Name

Unusual Federation Signing Certificate Validity Period

Description

An unusually high validity period for a federation signing certificate is suspicious, as it could indicate that an attacker obtained elevated privileges in Entra ID and created a backdoor through the federation trust mechanism.

Ability of Standard Accounts to Register Applications

Low Severity

Name

Ability of Standard Accounts to Register Applications

Description

By default, any Entra user can register applications within the tenant. While this feature is convenient and not an immediate security vulnerability, it does carry certain risks. Therefore, following best practices, Tenable recommends disabling this capability.

Application Allowing Multi-Tenant Authentication

Low Severity

Name

Application Allowing Multi-Tenant Authentication

Description

Entra applications, which allow multi-tenant authentication, may give unauthorized access to malicious users if this configuration was not enabled with full awareness and without implementing adequate authorization checks within the application code.

Conditional Access Policy Disables Continuous Access Evaluation

Medium Severity

Name

Conditional Access Policy Disables Continuous Access Evaluation

Description

Continuous Access Evaluation is an Entra ID security feature that enables swift reactions to security policy changes or user status updates. For this reason, do not disable it.

Password Protection Not Enabled for on-Premises Environments

Medium Severity

Name

Password Protection Not Enabled for on-Premises Environments

Description

Microsoft Entra Password Protection is a security feature that prevents users from setting easily guessable passwords to enhance overall password security in an organization.

Public M365 Group

Medium Severity

Name

Public M365 Group

Description

Microsoft 365 groups stored in Entra ID are either public or private. Public groups pose a security risk because any user within the tenant can join them and gain access to their data (Teams chats/files, emails...).

Show Additional Context in Microsoft Authenticator Notifications

Medium Severity

Name

Show Additional Context in Microsoft Authenticator Notifications

Description

For improved visibility, enable Microsoft Authenticator notifications to display additional context, such as the application name and geolocation. This helps users identify and deny potentially malicious MFA or passwordless authentication requests, effectively mitigating the risk of MFA fatigue attacks.

Suspicious AD Synchronization Role Assignment

High Severity

Name

Suspicious AD Synchronization Role Assignment

Description

Microsoft designed two hidden built-in Entra ID roles for Active Directory synchronization, intended exclusively for Entra Connect or Cloud Sync service accounts. These roles carry implicit privileged permissions, which malicious actors could exploit to launch covert attacks.

Dormant Device

Low Severity

Name

Dormant Device

Description

Dormant devices pose security risks such as outdated configurations and unpatched vulnerabilities. Without regular monitoring and updates, these stale devices become potential targets for exploitation, compromising tenant integrity and data confidentiality.

Federation Signing Certificates Mismatch

High Severity

Name

Federation Signing Certificates Mismatch

Description

Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding a malicious token-signing certificate, leading to persistence and privilege escalation.

First-Party Service Principal With Credentials

High Severity

Name

First-Party Service Principal With Credentials

Description

First-Party Service Principals have powerful permissions while being overlooked because they are hidden, owned by Microsoft and numerous. Attackers add credentials to them to stealthily benefit from their privileges for privilege escalation and persistence.

Legacy Authentication Not Blocked

Medium Severity

Name

Legacy Authentication Not Blocked

Description

Legacy authentication methods do not support Multi-Factor Authentication (MFA), enabling attackers to continue performing brute-force, credential stuffing, and password-spraying attacks.

Managed Devices Not Required for Authentication

Medium Severity

Name

Managed Devices Not Required for Authentication

Description

Require managed devices to prevent unauthorized access and potential breaches. Security best practices recommend using Conditional Access Policies to block authentication to Entra ID from unmanaged devices.

Never Used Device

Low Severity

Name

Never Used Device

Description

You should avoid pre-created never used device accounts as they reflect poor hygiene practices and can potentially pose security risks.

Single Member Group

Low Severity

Name

Single Member Group

Description

It is not advisable to create a group with only one member because it introduces redundancy and complexity. This practice unnecessarily complicates management by adding layers and diminishes the intended efficiency of using groups for streamlined access control and administration.

Temporary Access Pass Feature Enabled

Low Severity

Name

Temporary Access Pass Feature Enabled

Description

The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it.

MFA Not Required for a Privileged Role

High Severity

Name

MFA Not Required for a Privileged Role

Description

MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, particularly for privileged accounts with assigned privileged roles.

Admin Consent Workflow for Applications Not Configured

Medium Severity

Name

Admin Consent Workflow for Applications Not Configured

Description

The admin consent workflow in Entra ID enables non-administrator users to request application permissions through a structured approval process. If the workflow isn't configured, users who try to access applications may encounter errors without a way to request consent.

Authentication Methods Migration Not Complete

Medium Severity

Name

Authentication Methods Migration Not Complete

Description

Migrating to the "Authentication methods" policy streamlines and modernizes authentication management in Microsoft Entra ID. This transition simplifies administration, enhances security, and enables support for the latest authentication methods. To avoid disruptions caused by the deprecation of legacy policies, complete your migration by September 2025.

Dangerous Application Permissions Affecting the Tenant

High Severity

Name

Dangerous Application Permissions Affecting the Tenant

Description

Dangerous Delegated Permissions Affecting the Tenant

High Severity

Name

Dangerous Delegated Permissions Affecting the Tenant

Description

Disabled Account Assigned to Privileged Role

Low Severity

Name

Disabled Account Assigned to Privileged Role

Description

Having a sane account management process requires monitoring assignments to privileged roles.

Dormant Non-Privileged User

Low Severity

Name

Dormant Non-Privileged User

Description

Dormant non-privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface.

Dormant Privileged User

Medium Severity

Name

Dormant Privileged User

Description

Dormant privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface.

Guest Account With a Privileged Role

High Severity

Name

Guest Account With a Privileged Role

Description

Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization.

Missing MFA for Privileged Account

High Severity

Name

Missing MFA for Privileged Account

Description

MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it.

Never Used Non-Privileged User

Low Severity

Name

Never Used Non-Privileged User

Description

Never used non-privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their potential default passwords make them prime targets for attackers.

Users Allowed to Join Devices

Low Severity

Name

Users Allowed to Join Devices

Description

Allowing all users to join unrestricted devices to the Entra tenant opens the door for threat actors to plant rogue devices into the organization's identity system and give them a foothold for further compromise.

High Number of Administrators

High Severity

Name

High Number of Administrators

Description

Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected.