Microsoft observed a surge in cyberattacks targeting identities in 2023, with attempted password-based attacks increasing by more than tenfold in the first quarter of 2023 compared to the same period in 2022. Threat actors leverage compromised identities to achieve a significant level of access to target networks. The compromise of an identity, under certain circumstances, could enable threat actors to compromise the identity platform instance and could lead to additional malicious attacks, or even tenant destruction. Microsoft Incident Response (IR) is often engaged in cases where organizations have lost control of their Microsoft Entra ID (previously Azure Active Directory) tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient protection for identities. The team has observed common misconfigurations for both Microsoft Entra ID and on-premises Active Directory across various industry verticals. While Microsoft Entra ID differs from on-premises Active Directory in how it functions and how it is architected, similar high-level incident response and hardening principles can be applied to both. Concepts such as administrative least privilege, regularly reviewing access and application permissions and reviewing activity are important to secure both Active Directory and Microsoft Entra ID. Microsoft IR engages with hundreds of customers each year, including many of the largest organizations worldwide. These…Read More