Detections
Analytics
Indicators of Exposure
| Name | Description | Severity | Type |
|---|---|---|---|
| User Primary Group | Verify users' Primary Group has not been changed | critical | |
| Dangerous Kerberos Delegation | Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it. | critical | |
| Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium | |
| Reversible Passwords in GPO | Checks that GPO preferences do not allow passwords in a reversible format. | medium | |
| Ensure SDProp Consistency | Control that the AdminSDHolder object is in a clean state. | critical | |
| Last Password Change on KRBTGT account | Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval. | high | |
| Native Administrative Group Members | Abnormal accounts in the native administrative groups of Active Directory | critical | |
| Privileged Accounts Running Kerberos Services | Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security. | critical | |
| AdminCount Attribute Set on Standard Users | Checks for the adminCount attribute on decommissioned accounts leading to permission issues that are difficult to manage. | medium | |
| Dormant Accounts | Detects unused dormant accounts that can lead to security risks. | medium | |
| Dangerous Trust Relationships | Identifies misconfigured trust relationship attributes that decrease the security of a directory infrastructure. | high | |
| Accounts With Never Expiring Passwords | Checks for accounts with the DONT_EXPIRE_PASSWORD property flag in the userAccountControl attribute that allows indefinite use of the same password, bypassing password renewal policies. | medium | |
| Unlinked, Disabled or Orphan GPO | Unused or disabled GPOs slow directory performance and RSoP computation, and can lead to security policy confusion. Reactivating them by mistake can weaken existing policies. | low | |
| Never Used Device | You should avoid pre-created never used device accounts as they reflect poor hygiene practices and can potentially pose security risks. | LOW | |
| Weak Password Policy - Minimum Length | A password policy with a low minimum length allows users to create short, easily guessable passwords, increasing the risk of compromise. | HIGH | |
| Weak Password Policy - Password History | A password policy with a low password history count allows users to reuse potentially compromised passwords. | MEDIUM | |
| Empty Entra Group | Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members. | LOW | |
| Risky Users Without Enforcement | Block risky users to prevent unauthorized access and potential breaches. Security best practices recommend using Conditional Access Policies to stop vulnerable accounts from authenticating to Entra ID. | MEDIUM | |
| Privileged Entra Account Synchronized With AD (Hybrid) | Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts. | HIGH | |
| Conditional Access Policy Disables Continuous Access Evaluation | Continuous Access Evaluation is an Entra ID security feature that enables swift reactions to security policy changes or user status updates. For this reason, do not disable it. | MEDIUM | |
| Dangerous Application Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. | HIGH | |
| Dormant Privileged User | Dormant privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | MEDIUM | |
| Weak Password Policy - Common Passwords | A password policy that allows common passwords increases the risk of compromise, as users may choose weak, easily guessable credentials. | HIGH | |
| Federation Signing Certificates Mismatch | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding a malicious token-signing certificate, leading to persistence and privilege escalation. | HIGH | |
| Managed Devices Not Required for Authentication | Require managed devices to prevent unauthorized access and potential breaches. Security best practices recommend using Conditional Access Policies to block authentication to Entra ID from unmanaged devices. | MEDIUM | |
| Unrestricted User Consent for Applications | Entra ID allows users to autonomously consent to external applications' access to organization's data, which attackers may exploit in "illicit consent grant" attacks. Prevent this by restricting access to verified publishers or requiring administrator approval. | MEDIUM | |
| Unusual Federation Signing Certificate Validity Period | An unusually high validity period for a federation signing certificate is suspicious, as it could indicate that an attacker obtained elevated privileges in Entra ID and created a backdoor through the federation trust mechanism. | MEDIUM | |
| High Number of Administrators | Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected. | HIGH | |
| Dangerous Application Permissions Affecting Data | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a threat to users' data that these services store. | MEDIUM | |
| Dormant Non-Privileged User | Dormant non-privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | LOW | |
| Dynamic Group Featuring an Exploitable Rule | Attackers can exploit dynamic groups in Microsoft Entra ID by manipulating self-modifiable attributes, allowing them to add themselves as group members. This manipulation enables privilege escalation and unauthorized access to sensitive resources tied to the groups. | MEDIUM | |
| Never Used Non-Privileged User | Never used non-privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers. | LOW | |
| Weak Password Policy - Lockout Threshold | A password policy with a high lockout threshold can allow attackers to perform brute-force attacks before triggering an account lockout. | HIGH | |
| Authentication Methods Migration Not Complete | Migrating to the "Authentication methods" policy streamlines and modernizes authentication management in Microsoft Entra ID. This transition simplifies administration, enhances security, and enables support for the latest authentication methods. To avoid disruptions caused by the deprecation of legacy policies, complete your migration by September 2025. | MEDIUM | |
| Missing MFA for Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it. | HIGH | |
| Privileged Account Naming Convention | A naming convention for privileged users in Entra ID is crucial for security, standardization, audit compliance, and facilitates administration. | LOW | |
| Privileged Entra Account With Access To M365 Services | You should have separate Entra accounts for administrative tasks: one standard account for daily use and another privileged account limited specifically to administration activities. This approach reduces the attack surface of the privileged account. | MEDIUM | |
| Users Allowed to Join Devices | Allowing all users to join unrestricted devices to the Entra tenant opens the door for threat actors to plant rogue devices into the organization's identity system and give them a foothold for further compromise. | LOW | |
| Entra Security Defaults Not Enabled | Entra ID Security Defaults offer pre-configured, Microsoft-recommended settings to enhance tenant protection. | MEDIUM | |
| MFA Not Required for Risky Sign-ins | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you require MFA for risky sign-ins, for example when the authentication request may not come from the legitimate identity owner. | HIGH | |
| Show Additional Context in Microsoft Authenticator Notifications | For improved visibility, enable Microsoft Authenticator notifications to display additional context, such as the application name and geolocation. This helps users identify and deny potentially malicious MFA or passwordless authentication requests, effectively mitigating the risk of MFA fatigue attacks. | MEDIUM | |
| Single Member Entra Group | It is not advisable to create a group with only one member because it introduces redundancy and complexity. This practice unnecessarily complicates management by adding layers and diminishes the intended efficiency of using groups for streamlined access control and administration. | LOW | |
| Unrestricted Guest Accounts | By default, while guest users in Entra ID have limited access to reduce their visibility within the tenant, it is also possible to enhance security and privacy by further tightening these restrictions. | MEDIUM | |
| Application Allowing Multi-Tenant Authentication | Entra applications, which allow multi-tenant authentication, may give unauthorized access to malicious users if this configuration was not enabled with full awareness and without implementing adequate authorization checks within the application code. | LOW | |
| Dangerous Delegated Permissions Affecting Data | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on behalf of users (called "delegated permissions"). Certain permissions can pose a threat to users' data that these services store. | MEDIUM | |
| Dangerous Delegated Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on behalf of users (called "delegated permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. | HIGH | |
| Dormant Device | Dormant devices pose security risks such as outdated configurations and unpatched vulnerabilities. Without regular monitoring and updates, these stale devices become potential targets for exploitation, compromising tenant integrity and data confidentiality. | LOW | |
| Managed Devices Not Required for MFA Registration | Requiring managed devices for MFA registration makes it harder for attackers to register their rogue MFA, in case of stolen credentials, if they do not also have access to a managed device. | MEDIUM | |
| Never Used Privileged User | Never used privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers. | MEDIUM | |
| Password Expiration Enforced | Enforcing password expiration in Microsoft Entra ID domains can undermine security by prompting users to change passwords frequently, often leading to weak, predictable, or reused passwords that reduce overall account protection. | LOW |