Talk: Microsoft Entra ID – Attack Surface
At the beginning of 2023, we transitioned from an on-prem Active Directory to the cloud Azure Active Directory (now Microsoft Entra ID). WHY and HOW I discussed in the article “Transitioning to Azure Active Directory”.
The current state is such that we only have one DC server and two terminal servers left from on-prem AD. I plan to replace them by the end of the year with Windows 365 Enterprise (Cloud PC), which we have available through our partnership with Microsoft.
However, to avoid misunderstandings, the goal is not to completely get rid of the entire on-prem, but only Active Directory (to replace it with Entra ID, Intune, and Defender). On the contrary, we expanded the on-prem with three more new physical servers. We will still be operating a number of services ourselves: Veeam Cloud Connect infrastructure (immutable backups), ESET infrastructure, FortiAnalyzer, FortiEMS, log management, and others. It is still more advantageous for us to run them ourselves.
Why Focus on Microsoft Entra ID?
In my opinion, Entra ID will become another technology where attackers will trouble defenders (as is the case with Active Directory with lateral movement) because Entra ID is:
- CRITICAL: Compromising Entra ID will result in taking control of corporate devices and data.
- WIDESPREAD: Everyone who has any Office/Microsoft 365 service also has their Entra ID. Without exaggeration, it can be said that (with a few exceptions) it is every company.
- COMPLEX: It is as extensive technology as the original Active Directory.
- UNDERESTIMATED (BY DEFENDERS): There aren’t enough people who understand it deeply.
I spent the whole summer studying and preparing internal training. From my study, three training sessions were created:
- Entra ID: Attack Surface
- Entra ID: Lateral movement and persistence
- Entra ID: Defense
I would like to share them with you gradually. Today, I am sharing the first one dealing with the “initial access” phase, i.e., vectors (paths) of initial penetration. Hopefully, you will like it. 😊 (slides)
May your networks stay secure,
Martin
Discussion