Key Takeaways:
Microsoft has released a new Defender for Identity sensor tailored for Entra Connect servers, enhancing security measures against credential theft and privilege escalation. This new offering provides organizations with advanced tools to monitor, detect, and respond to potential security threats.
Microsoft Entra Connect is a tool that enables organizations to link their on-premises directories with Entra ID (previously Azure Active Directory). It offers single sign-on capabilities, allowing seamless access to both on-premises and cloud resources. Entra Connect supports multiple sign-in methods, including pass-through authentication, password synchronization, and integration with third-party identity providers.
“The new Microsoft Defender for Identity sensor for Entra Connect servers provides comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, offering crucial insights into potential security threats and unusual activities,” Microsoft explained.
Microsoft Defender for Identity now offers new security alerts and posture recommendations for Entra Connect. There is a new feature that helps administrators detect unusual or suspicious login attempts on Entra Connect servers. This makes it easier to respond to potential threats like credential theft and other malicious activities. The Defender for Identity tool can also monitor when permissions are used in unauthorized or harmful ways.
Additionally, Microsoft Defender for Identity detects suspicious writeback activities by Entra Connect on sensitive user accounts. Writeback refers to the process of syncing changes made in the cloud back to the on-premises Active Directory. This security feature helps prevent unauthorized password resets on critical accounts.
Microsoft has added new posture recommendations to Microsoft Secure Score, including changing passwords for Entra seamless SSO account configuration and removing resource-based constrained delegation for these accounts. Other recommendations include rotating passwords and removing unnecessary permissions for the Entra Connect connector account.
Microsoft says these new recommendations require customers to install a Microsoft Defender for Identity sensor on servers running Entra Connect services. If you’re interested, you can learn more about the new sensor on this support page.