Detections
Analytics
Indicators of Exposure
| Name | Description | Severity |
|---|---|---|
| Last Password Change on KRBTGT account | Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval. | high |
| Native Administrative Group Members | Abnormal accounts in the native administrative groups of Active Directory | critical |
| Privileged Accounts Running Kerberos Services | Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security. | critical |
| AdminCount Attribute Set on Standard Users | Checks for the adminCount attribute on decommissioned accounts leading to permission issues that are difficult to manage. | medium |
| Dormant Accounts | Detects unused dormant accounts that can lead to security risks. | medium |
| Dangerous Trust Relationships | Identifies misconfigured trust relationship attributes that decrease the security of a directory infrastructure. | high |
| Accounts With Never Expiring Passwords | Checks for accounts with the DONT_EXPIRE_PASSWORD property flag in the userAccountControl attribute that allows indefinite use of the same password, bypassing password renewal policies. | medium |
| Unlinked, Disabled or Orphan GPO | Unused or disabled GPOs slow directory performance and RSoP computation, and can lead to security policy confusion. Reactivating them by mistake can weaken existing policies. | low |
| Dummy IoE | Dummy IoE used as template by Tenable Identity Exposure developers | low |
| High Number of Administrators | Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected. | High |
| Missing MFA for Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it. | High |
| Privileged Entra Account Synchronized With AD (Hybrid) | Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts. | High |
| Dangerous API Permissions Affecting the Tenant | Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services. Certain permissions can pose a serious threat to the entire Microsoft Entra tenant. Therefore, their assignment must be carefully reviewed. | High |
| First-Party Service Principal With Credentials | First-Party Service Principals have powerful permissions while being overlooked because they are hidden, owned by Microsoft and numerous. Attackers add credentials to them to stealthily benefit from their privileges for privilege escalation and persistence. | High |
| Missing MFA for Non-Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. | Medium |
| Known Federated Domain Backdoor | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation. | Critical |
| Empty AD Group | Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members. | LOW |
| Empty Entra Group | Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members. | LOW |
| Never Used Device | You should avoid pre-created never used device accounts as they reflect poor hygiene practices and can potentially pose security risks. | LOW |
| Privileged Entra Account Synchronized With AD (Hybrid) | Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts. | HIGH |
| High Number of Administrators | Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected. | HIGH |
| Load test | This is just a dummy weakness for testing purpose that tries to raise a lot of findings. test change first test change second test change third | LOW |
| Single Member AD Group | It is not advisable to create a group with only one member because it introduces redundancy and complexity. This practice unnecessarily complicates management by adding layers and diminishes the intended efficiency of using groups for streamlined access control and administration. | LOW |
| Conditional Access Policy Disables Continuous Access Evaluation | Continuous Access Evaluation is an Entra ID security feature that enables swift reactions to security policy changes or user status updates. For this reason, do not disable it. | MEDIUM |
| Federation Signing Certificates Mismatch | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding a malicious token-signing certificate, leading to persistence and privilege escalation. | HIGH |
| Unrestricted User Consent for Applications | Entra ID allows users to autonomously consent to external applications' access to organization's data, which attackers may exploit in "illicit consent grant" attacks. Prevent this by restricting access to verified publishers or requiring administrator approval. | MEDIUM |
| Unusual Federation Signing Certificate Validity Period | An unusually high validity period for a federation signing certificate is suspicious, as it could indicate that an attacker obtained elevated privileges in Entra ID and created a backdoor through the federation trust mechanism. | MEDIUM |
| Entra Security Defaults Not Enabled | Entra ID Security Defaults offer pre-configured, Microsoft-recommended settings to enhance tenant protection. | MEDIUM |
| MFA Not Required for Risky Sign-ins | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you require MFA for risky sign-ins, for example when the authentication request may not come from the legitimate identity owner. | HIGH |
| Missing MFA for Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it. | HIGH |
| Privileged Account Naming Convention | A naming convention for privileged users in Entra ID is crucial for security, standardization, audit compliance, and facilitates administration. | LOW |
| Privileged Entra Account With Access To M365 Services | You should have separate Entra accounts for administrative tasks: one standard account for daily use and another privileged account limited specifically to administration activities. This approach reduces the attack surface of the privileged account. | MEDIUM |
| Application Allowing Multi-Tenant Authentication | Entra applications, which allow multi-tenant authentication, may give unauthorized access to malicious users if this configuration was not enabled with full awareness and without implementing adequate authorization checks within the application code. | LOW |
| Unrestricted Guest Accounts | By default, while guest users in Entra ID have limited access to reduce their visibility within the tenant, it is also possible to enhance security and privacy by further tightening these restrictions. | MEDIUM |
| Single Member Entra Group | It is not advisable to create a group with only one member because it introduces redundancy and complexity. This practice unnecessarily complicates management by adding layers and diminishes the intended efficiency of using groups for streamlined access control and administration. | LOW |
| Guest Accounts with Equal Access to Normal Accounts | It is not advisable to configure Entra ID to consider guests as regular users, as it may enable malicious guests to conduct comprehensive reconnaissance on the tenant's resources. | HIGH |
| Disabled Account Assigned to Privileged Role | Having a sane account management process requires monitoring assignments to privileged roles. | LOW |
| Dormant Device | Dormant devices pose security risks such as outdated configurations and unpatched vulnerabilities. Without regular monitoring and updates, these stale devices become potential targets for exploitation, compromising tenant integrity and data confidentiality. | LOW |
| Dormant User | Dormant users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface. | LOW |
| Enabled Guest Account | By default, the guest account is disabled in Active Directory. Enabling this account introduces security risks by allowing anonymous access to the domain, which threat actors might use to conduct reconnaissance and potentially compromise network integrity by accessing sensitive data and enumerating accounts. | LOW |
| Password Protection Not Enabled for On-Premises Environments | Microsoft Entra Password Protection is a security feature that prevents users from setting easily guessable passwords to enhance overall password security in an organization. | MEDIUM |
| First-Party Service Principal With Credentials | First-Party Service Principals have powerful permissions while being overlooked because they are hidden, owned by Microsoft and numerous. Attackers add credentials to them to stealthily benefit from their privileges for privilege escalation and persistence. | HIGH |
| Guest Account With a Privileged Role | Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization. | HIGH |
| Missing MFA for Non-Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. | MEDIUM |
| Never Used User | Never used user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers. | LOW |
| Public M365 Group | Microsoft 365 groups stored in Entra ID are either public or private. Public groups pose a security risk because any user within the tenant can join them and gain access to their data (Teams chats/files, emails...). | MEDIUM |
| Temporary Access Pass Feature Enabled | The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it. | LOW |
| Federated Domains List | Malicious federated domain configuration is a common threat, used by attackers as an authentication backdoor to the Entra ID tenant. Verifying existing and newly added federated domains is crucial to ensure their configurations are trustworthy and legitimate. This Indicator of Exposure provides a comprehensive list of federated domains and their relevant attributes to help you to make informed decisions about their security status. | LOW |
| Known Federated Domain Backdoor | Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation. | CRITICAL |
| Unverified Domain | Entra ID requires to confirm ownership of new custom domains. The unverified state should only be temporary and all domains must be confirmed, or deleted, to keep the list tidy and make reviews easier. | LOW |