4 reasons to increase the recoverability of Entra ID resources

Let's delve into the often overlooked security implications of managing identity resources through AD and Entra ID, and how to close those gaps with Semperis Disaster Recovery for Entra Tenant (DRET), which we have rebranded and refreshed with expanded capabilities.

1. Entra ID configuration errors cause security problems

As with on-prem AD, Entra ID can be plagued by countless misconfigurations that have accumulated over time and expose organisations to attack. Configurations that deviate from the organisation's policies can have unintended consequences, impact security and user interaction, and even lead to a denial of service. 

In the report 2023 Purple Knight in which users of the Semperis community-driven security assessment tool were surveyed, 55% of organisations reported finding 5 or more security vulnerabilities in their Entra ID environments. These indicators included privileged groups containing a guest account, users or devices that had been inactive for more than 90 days, and multiple indicators related to misconfigured conditional access policies.

2. Entra ID's recycle bin won't save you

While the Entra ID recycle bin can protect against some unfortunate errors, its power is limited. Users, Microsoft 365 groups and applications that have been permanently deleted can be recovered from the recycle bin within 30 days. But many other types of objects are deleted immediately and cannot be restored. 

In one case we are aware of, more than 1,600 service managers were accidentally removed from Entra ID, causing line-of-business applications to go offline. The organisation was forced to manually recreate these applications in Entra ID, and administrators worked around the clock for 28 days to restore all services. Another drawback of the Entra ID recycle bin is that it is only useful in case of deletion: it is useless if objects are modified.

3. Lack of understanding of the shared responsibility model IdP leaves security gaps

As an identity provider (IdP) for Entra ID, Microsoft provides several capabilities to help you prepare for a security incident, such as identity and access management (IAM) functionality, tools for documentation, log availability and consistency, and platform security. If you need to recover from malicious or unintentional changes or deletions, Microsoft also provides time-limited availability of software-deleted resources (the recycle bin) and availability of APIs. 

But to prepare for an incident, as a customer you are responsible for disaster planning, documentation of known-good states, data monitoring and preservation, and operational security. In the event of an attack, you need the ability to restore deleted resources by physical and virtual means, previous configurations and misconfigured resources. Without a proven plan, an attack on Entra ID could leave you scrambling to rebuild these resources, a process that typically takes days or weeks for most organisations.

4. Attackers are targeting Enter ID

The increase in attacks targeting Entra ID should set alarm bells ringing in any organisation with a hybrid identity environment, as is often the case. (According to the Semperis report Evaluating Identity Threat Detection & Response Solutions80% of organisations use a hybrid identity system that encompasses both AD on-prem and Entra ID). As in the case of the infamous Kaseya and SolarWinds breaches, cybercriminals exploit security weaknesses in hybrid identity systems by entering the cloud and moving to the on-premises identity system, or vice versa. 

One of the favourite targets of cyber attackers is the cloud service that organisations tend to adopt first and fastest: Microsoft 365. Researchers at Mandiant reported an increase in incidents involving Microsoft 365 and Entra ID, mostly linked to phishing activities that lured users into sharing their Office 365 credentials. Mandiant researchers also observed attackers using AADInternals, a PowerShell module that allows them to navigate from the on-prem AD environment to Entra ID, where they can create backdoors, steal passwords and establish persistence.

Closing security gaps in cloud identity systems

Building on our strong foundation of providing comprehensive security and recovery solutions for AD, Semperis Disaster Recovery for Entra Tenant (DRET) addresses the obvious security risks we have observed in many hybrid AD environments. DRET picks up where the Entra ID recycle bin leaves off, providing resiliency for critical Entra ID resources and ensuring secure storage and flexible management of your Entra ID data.

Here is a brief overview of how DRET can help you prepare for and recover from malicious or unwanted changes to your tenant Entra ID:

• Recover deleted user objects
• Recover the security groups
• Retrieves conditional access policies
• Enables selective restoration of individual objects
• Mass restoration of multiple objects
• Retain multiple backup versions
• Provides secure storage (SOC 2 Type II compliant and ISO 27001 certified) for Entra ID data with BYOK (Bring Your Own Key) encryption option.
• It offers a choice of Microsoft Azure data centres in the US, EU or Australia.

 

Given the increasing prevalence of attacks on hybrid identity systems, ensuring the recoverability of Entra ID resources is now a priority for many organisations. Disaster Recovery for Entra Tenant helps you accomplish this mission by providing secure and reliable backup and recovery for your critical Entra ID data, eliminating time-consuming storage management hassles and ensuring rapid recovery after an attack.