Detections
Analytics
Indicators of Exposure
| Name | Description | Severity | Type |
|---|---|---|---|
| Password Expiration Enforced | Enforcing password expiration in Microsoft Entra ID domains can undermine security by prompting users to change passwords frequently, often leading to weak, predictable, or reused passwords that reduce overall account protection. | LOW | |
| Password Protection Not Enabled for On-Premises Environments | Microsoft Entra Password Protection is a security feature that prevents users from setting easily guessable passwords to enhance overall password security in an organization. | MEDIUM | |
| Federated Domains List | Malicious federated domain configuration is a common threat, used by attackers as an authentication backdoor to the Entra ID tenant. Verifying existing and newly added federated domains is crucial to ensure their configurations are trustworthy and legitimate. This Indicator of Exposure provides a comprehensive list of federated domains and their relevant attributes to help you to make informed decisions about their security status. | LOW | |
| Known Federated Domain Backdoor | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation. | CRITICAL | |
| Missing MFA for Non-Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. | MEDIUM | |
| Public M365 Group | Microsoft 365 groups stored in Entra ID are either public or private. Public groups pose a security risk because any user within the tenant can join them and gain access to their data (Teams chats/files, emails...). | MEDIUM | |
| Temporary Access Pass Feature Enabled | The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it. | LOW | |
| Unverified Domain | You must confirm ownership of all custom domains in Entra ID. Keep unverified domains only temporarily - you should either verify or remove them to maintain a clean domain list and facilitate efficient reviews. | LOW | |
| Guest Account With a Privileged Role | Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization. | HIGH | |
| First-Party Service Principal With Credentials | First-Party Service Principals have powerful permissions while being overlooked because they are hidden, owned by Microsoft and numerous. Attackers add credentials to them to stealthily benefit from their privileges for privilege escalation and persistence. | HIGH | |
| MFA Not Required for a Privileged Role | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, particularly for privileged accounts with assigned privileged roles. | HIGH | |
| Suspicious AD Synchronization Role Assignment | Microsoft designed two hidden built-in Entra ID roles for Active Directory synchronization, intended exclusively for Entra Connect or Cloud Sync service accounts. These roles carry implicit privileged permissions, which malicious actors could exploit to launch covert attacks. | HIGH |