Microsoft Certified Master Sean Metcalf Reveals the Top 3 Fixes to Secure Active Directory

Modern identity security has shifted dramatically, and according to identity experts Sean Metcalf of TrustedSec, the center of gravity has moved from network perimeters toward tokens, browsers, hybrid identity connectors, and cloud roles. In a wide-ranging conversation, Metcalf unpacked how both Active Directory (AD) and Entra ID continue to expose organizations to unnecessary risk, why configuration drift remains one of the biggest operational challenges, and how IT teams can adopt practical steps toward Zero Trust.

Metcalf is one of only about 100 Microsoft Certified Masters in Active Directory, and he initially built his reputation by documenting obscure AD attack paths and defensive techniques on adsecurity.org. Although the industry has evolved, he emphasized that many of the same security issues he observed a decade ago are still present in enterprise AD environments today.

“Most of the issues I identified years ago are still issues today,” Metcalf said.

His point is that identity systems have not kept up with attacker tradecraft. Token theft, browser compromise, and hybrid identity misconfigurations have taken center stage in the modern threat landscape, while organizations continue to rely heavily on legacy AD setups that were never designed for today’s level of exposure.

How token theft reshaped identity attacks

Metcalf argued that attackers increasingly focus on harvesting reusable credential artifacts rather than cracking passwords or exploiting domain controllers directly. Primary refresh tokens in Entra ID are especially valuable because they can be valid for up to 90 days. While Microsoft has hardened token storage using Virtualization-Based Security tied to the Trusted Platform Module (TPM), browser session tokens remain vulnerable if an attacker can compromise the endpoint or browser profile.

“The threat landscape has moved back from the perimeter and even from endpoints to the web browsers people log onto,” Metcalf said.

This shift creates a need for administrative isolation, including separate browsers or dedicated admin servers for managing cloud identity systems. Metcalf warned that even small decisions, like using the same browser to check email and administer Entra ID, increase the risk that session tokens can be lifted and replayed.

The persistent weaknesses inside Active Directory

Many organizations assume that years of incremental hardening have resolved their AD risks. Metcalf’s experience suggests the opposite. He listed common weaknesses seen during TrustedSec assessments, including excessive AD permissions, unsafe group policy objects, legacy service accounts with administrative privileges, weak or unprotected AD backups, and misconfigured Active Directory Certificate Services (AD CS).

In fact, he noted that standing up AD CS with default settings immediately exposes organizations to exploitable conditions.

“I installed it with the default settings and Locksmith identified a security issue right off the bat,” Metcalf said.

Another long-standing problem is a lack of administrative separation. Organizations still fail to use dedicated admin workstations or servers, resulting in privileged credentials being entered into everyday user systems that may already be compromised.

Quick wins for AD hardening

When asked for the highest-impact hardening steps an organization can take with limited resources, Metcalf offered three recommendations:

1. Isolate AD admin accounts in a top-level OU restricted only to domain admins.
2. Require AD administrators to use a dedicated admin server, or ideally a privileged access workstation, to prevent credential exposure.
3. Review all AD admin accounts and service accounts and remove unnecessary privileges.

These measures do not eliminate more complex risks, but they significantly reduce an attacker’s ability to harvest or abuse privileged credentials.

Why Entra ID is a very different animal

Although Entra ID originated from Azure AD, its operational model differs substantially from traditional AD. There is no LDAP, no NTLM, and only limited Kerberos usage. The cloud directory now includes 117 built-in roles, far more than the relatively static set of AD roles.

Metcalf emphasized that Microsoft manages and updates Entra ID continuously. Conditional Access alone has become so complex that it often requires a dedicated specialist.

“Conditional access is very confusing and it takes just about a full-time person to manage,” Metcalf said.

One of the most common mistakes he sees is well-named Conditional Access policies that do not actually apply to the users they were designed to protect. Administrators often exclude large groups, leave policies in pilot mode, or fail to apply them universally.

Hybrid identity and new attack paths

Connecting AD to Entra ID introduces its own risks. The server running Entra Connect Sync (formerly Azure AD Connect) has become a major target because it enables attacks that extract cleartext credentials through pass-through authentication or impersonation opportunities through Entra single sign-on.

“If an attacker compromises the pass-through agent, they can pull cleartext credentials out of it,” Metcalf said.

These hybrid systems must be isolated and monitored as closely as domain controllers, with their own protected OUs and locked-down Group Policies.

Zero Trust, still a long journey

Metcalf recommends organizations begin Zero Trust efforts by mapping authentication flows from endpoints to cloud resources. This includes inventorying devices, identifying federation components, and understanding where certificates or mobile device management influence authentication.

He said no customer has fully reached the end of a Zero Trust journey, but cleanup and visibility are always the first steps. That includes knowing what assets exist, how authentication paths work, and which legacy configurations must be eliminated before enforcing stricter policies.

AI’s real role in identity security

AI is not a magic solution for detecting attacks or securing identity systems. Metcalf pointed to a MIT study reporting that 95 percent of organizations saw no benefit from early generative AI adoption.

“AI is being jammed into tools without really thinking about what it is for or how it can help,” Metcalf said.

He sees AI as a productivity booster rather than an autonomous security engine: summarizing documentation, assisting with query generation, and speeding up analysis.

Conclusion

Identity security continues to evolve, but the fundamentals remain the same. Organizations must isolate administrative access, eliminate unnecessary privileges, and monitor their environments for drift. AD can be secured when IT operations and security teams share priorities, while Entra ID introduces new complexity that requires focused expertise.

Hybrid identity creates powerful attack paths that demand careful protection, and Zero Trust remains an ongoing process anchored in visibility and disciplined configuration. AI may assist with efficiency, but it will not replace the foundational work required to secure identity systems.