Detections
Analytics
Indicators of Exposure
| Name | Description | Severity | Type |
|---|---|---|---|
| Weak Password Policy - Minimum Age | A password policy with a low minimum password age may allow users to cycle through previously used passwords, potentially reusing compromised credentials. | LOW | |
| Ability of Standard Accounts to Register Applications | By default, any Entra user can register applications within the tenant. While this feature is convenient and not an immediate security vulnerability, it does carry certain risks. Therefore, following best practices, Tenable recommends disabling this capability. | LOW | |
| Guest Accounts with Equal Access to Normal Accounts | It is not advisable to configure Entra ID to consider guests as regular users, as it may enable malicious guests to conduct comprehensive reconnaissance on the tenant's resources. | HIGH | |
| Legacy Authentication Not Blocked | Legacy authentication methods do not support Multi-Factor Authentication (MFA), enabling attackers to continue performing brute-force, credential stuffing, and password-spraying attacks. | MEDIUM | |
| Password Protection Not Enabled for On-Premises Environments | Microsoft Entra Password Protection is a security feature that prevents users from setting easily guessable passwords to enhance overall password security in an organization. | MEDIUM | |
| Disabled Account Assigned to Privileged Role | Having a sane account management process requires monitoring assignments to privileged roles. | LOW | |
| Federated Domains List | Malicious federated domain configuration is a common threat, used by attackers as an authentication backdoor to the Entra ID tenant. Verifying existing and newly added federated domains is crucial to ensure their configurations are trustworthy and legitimate. This Indicator of Exposure provides a comprehensive list of federated domains and their relevant attributes to help you to make informed decisions about their security status. | LOW | |
| Known Federated Domain Backdoor | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation. | CRITICAL | |
| Public M365 Group | Microsoft 365 groups stored in Entra ID are either public or private. Public groups pose a security risk because any user within the tenant can join them and gain access to their data (Teams chats/files, emails...). | MEDIUM | |
| Suspicious "Directory Synchronization Accounts" Role Assignment | "Directory Synchronization Accounts" is a privileged Entra role hidden within the Azure and Entra ID portals, usually designated for Microsoft Entra Connect (formerly Azure AD Connect) service accounts. However, malevolent actors may exploit this role for covert attacks. | HIGH | |
| Temporary Access Pass Feature Enabled | The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it. | LOW | |
| Unverified Domain | You must confirm ownership of all custom domains in Entra ID. Keep unverified domains only temporarily - you should either verify or remove them to maintain a clean domain list and facilitate efficient reviews. | LOW | |
| First-Party Service Principal With Credentials | First-Party Service Principals have powerful permissions while being overlooked because they are hidden, owned by Microsoft and numerous. Attackers add credentials to them to stealthily benefit from their privileges for privilege escalation and persistence. | HIGH | |
| Guest Account With a Privileged Role | Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization. | HIGH | |
| MFA Not Required for a Privileged Role | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, particularly for privileged accounts with assigned privileged roles. | HIGH | |
| Missing MFA for Non-Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. | MEDIUM |