Detections
Analytics
Indicators of Exposure
| Name | Description | Severity |
|---|---|---|
| Last Password Change on KRBTGT account | Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval. | high |
| Native Administrative Group Members | Abnormal accounts in the native administrative groups of Active Directory | critical |
| Privileged Accounts Running Kerberos Services | Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security. | critical |
| AdminCount Attribute Set on Standard Users | Checks for the adminCount attribute on decommissioned accounts leading to permission issues that are difficult to manage. | medium |
| Dormant Accounts | Detects unused dormant accounts that can lead to security risks. | medium |
| Dangerous Trust Relationships | Identifies misconfigured trust relationship attributes that decrease the security of a directory infrastructure. | high |
| Accounts With Never Expiring Passwords | Checks for accounts with the DONT_EXPIRE_PASSWORD property flag in the userAccountControl attribute that allows indefinite use of the same password, bypassing password renewal policies. | medium |
| Unlinked, Disabled or Orphan GPO | Unused or disabled GPOs slow directory performance and RSoP computation, and can lead to security policy confusion. Reactivating them by mistake can weaken existing policies. | low |
| Empty AD Group | Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members. | LOW |
| Empty Entra Group | Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members. | LOW |
| Never Used Device | You should avoid pre-created never used device accounts as they reflect poor hygiene practices and can potentially pose security risks. | LOW |
| Privileged Entra Account Synchronized With AD (Hybrid) | Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts. | HIGH |
| Conditional Access Policy Disables Continuous Access Evaluation | Continuous Access Evaluation is an Entra ID security feature that enables swift reactions to security policy changes or user status updates. For this reason, do not disable it. | MEDIUM |
| Dangerous Application Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. | HIGH |
| Dormant Privileged User | Dormant privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | MEDIUM |
| Federation Signing Certificates Mismatch | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding a malicious token-signing certificate, leading to persistence and privilege escalation. | HIGH |
| High Number of Administrators | Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected. | HIGH |
| Single Member AD Group | It is not advisable to create a group with only one member because it introduces redundancy and complexity. This practice unnecessarily complicates management by adding layers and diminishes the intended efficiency of using groups for streamlined access control and administration. | LOW |
| Unrestricted User Consent for Applications | Entra ID allows users to autonomously consent to external applications' access to organization's data, which attackers may exploit in "illicit consent grant" attacks. Prevent this by restricting access to verified publishers or requiring administrator approval. | MEDIUM |
| Unusual Federation Signing Certificate Validity Period | An unusually high validity period for a federation signing certificate is suspicious, as it could indicate that an attacker obtained elevated privileges in Entra ID and created a backdoor through the federation trust mechanism. | MEDIUM |
| Application Allowing Multi-Tenant Authentication | Entra applications, which allow multi-tenant authentication, may give unauthorized access to malicious users if this configuration was not enabled with full awareness and without implementing adequate authorization checks within the application code. | LOW |
| Dormant Non-Privileged User | Dormant non-privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | LOW |
| Dynamic Group Featuring an Exploitable Rule | Attackers can exploit dynamic groups in Microsoft Entra ID by manipulating self-modifiable attributes, allowing them to add themselves as group members. This manipulation enables privilege escalation and unauthorized access to sensitive resources tied to the groups. | MEDIUM |
| Entra Security Defaults Not Enabled | Entra ID Security Defaults offer pre-configured, Microsoft-recommended settings to enhance tenant protection. | MEDIUM |
| MFA Not Required for Risky Sign-ins | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you require MFA for risky sign-ins, for example when the authentication request may not come from the legitimate identity owner. | HIGH |
| Missing MFA for Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it. | HIGH |
| Never Used Non-Privileged User | Never used non-privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers. | LOW |
| Privileged Account Naming Convention | A naming convention for privileged users in Entra ID is crucial for security, standardization, audit compliance, and facilitates administration. | LOW |
| Privileged Entra Account With Access To M365 Services | You should have separate Entra accounts for administrative tasks: one standard account for daily use and another privileged account limited specifically to administration activities. This approach reduces the attack surface of the privileged account. | MEDIUM |
| Show Additional Context in Microsoft Authenticator Notifications | For improved visibility, enable Microsoft Authenticator notifications to display additional context, such as the application name and geolocation. This helps users identify and deny potentially malicious MFA or passwordless authentication requests, effectively mitigating the risk of MFA fatigue attacks. | MEDIUM |
| Single Member Entra Group | It is not advisable to create a group with only one member because it introduces redundancy and complexity. This practice unnecessarily complicates management by adding layers and diminishes the intended efficiency of using groups for streamlined access control and administration. | LOW |
| Unrestricted Guest Accounts | By default, while guest users in Entra ID have limited access to reduce their visibility within the tenant, it is also possible to enhance security and privacy by further tightening these restrictions. | MEDIUM |
| Ability of Standard Accounts to Register Applications | By default, any Entra user can register applications within the tenant. While this feature is convenient and not an immediate security vulnerability, it does carry certain risks. Therefore, following best practices, Tenable recommends disabling this capability. | LOW |
| Dangerous Delegated Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on behalf of users (called "delegated permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. | HIGH |
| Disabled Account Assigned to Privileged Role | Having a sane account management process requires monitoring assignments to privileged roles. | LOW |
| Dormant Device | Dormant devices pose security risks such as outdated configurations and unpatched vulnerabilities. Without regular monitoring and updates, these stale devices become potential targets for exploitation, compromising tenant integrity and data confidentiality. | LOW |
| Enabled Guest Account | By default, the guest account is disabled in Active Directory. Enabling this account introduces security risks by allowing anonymous access to the domain, which threat actors might use to conduct reconnaissance and potentially compromise network integrity by accessing sensitive data and enumerating accounts. | LOW |
| Guest Accounts with Equal Access to Normal Accounts | It is not advisable to configure Entra ID to consider guests as regular users, as it may enable malicious guests to conduct comprehensive reconnaissance on the tenant's resources. | HIGH |
| Legacy Authentication Not Blocked | Legacy authentication methods do not support Multi-Factor Authentication (MFA), enabling attackers to continue performing brute-force, credential stuffing, and password-spraying attacks. | MEDIUM |
| Never Used Privileged User | Never used privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers. | MEDIUM |
| Password Protection Not Enabled for On-Premises Environments | Microsoft Entra Password Protection is a security feature that prevents users from setting easily guessable passwords to enhance overall password security in an organization. | MEDIUM |
| Federated Domains List | Malicious federated domain configuration is a common threat, used by attackers as an authentication backdoor to the Entra ID tenant. Verifying existing and newly added federated domains is crucial to ensure their configurations are trustworthy and legitimate. This Indicator of Exposure provides a comprehensive list of federated domains and their relevant attributes to help you to make informed decisions about their security status. | LOW |
| First-Party Service Principal With Credentials | First-Party Service Principals have powerful permissions while being overlooked because they are hidden, owned by Microsoft and numerous. Attackers add credentials to them to stealthily benefit from their privileges for privilege escalation and persistence. | HIGH |
| Guest Account With a Privileged Role | Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization. | HIGH |
| Known Federated Domain Backdoor | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation. | CRITICAL |
| MFA Not Required for a Privileged Role | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, particularly for privileged accounts with assigned privileged roles. | HIGH |
| Missing MFA for Non-Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. | MEDIUM |
| Public M365 Group | Microsoft 365 groups stored in Entra ID are either public or private. Public groups pose a security risk because any user within the tenant can join them and gain access to their data (Teams chats/files, emails...). | MEDIUM |
| Suspicious "Directory Synchronization Accounts" Role Assignment | "Directory Synchronization Accounts" is a privileged Entra role hidden within the Azure and Entra ID portals, usually designated for Microsoft Entra Connect (formerly Azure AD Connect) service accounts. However, malevolent actors may exploit this role for covert attacks. | HIGH |
| Temporary Access Pass Feature Enabled | The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it. | LOW |