Protect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server

We are excited to announce the new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing efforts to extend the reach of Defender for Identity across hybrid identity environments. It reinforces our vision of overseeing and protecting the entire identity fabric, significantly enhancing SOC visibility and protection capabilities for these complex environments.

Identity is one of the most targeted attack vectors, and cybercriminals are always evolving strategies to exploit new vulnerabilities or gaps in protection. Today, many organizations manage a hybrid identity environment, deploying Entra Identity in the cloud with an on-premises Active Directory footprint. The gap between these two elements presents ample opportunity for bad actors, and the Entra Connect server, the primary bridge between the two, can be classified as a Layer 0 asset.

To stay ahead of emerging threats and provide robust security solutions, our team is constantly evolving and updating our products, and the primary goal of this new sensor is to help customers more effectively prevent, detect and remediate commonly launched credential theft and privilege escalation attacks targeting Entra Connect.

What is Entra Connect? What security value does the new sensor provide?

entra connect (formerly known as Azure AD Connect or AAD Connect) is a Microsoft service used to synchronize on-premises Active Directory environments with Entra IDs (formerly known as Azure Active Directory). Entra Connect creates a common identity to facilitate identity management and provide single sign-on capabilities for users across on-premises and cloud resources. This synchronization is essential to maintain consistent and secure access across multiple platforms.

The new Microsoft Defender for Identity sensor for Entra Connect servers comprehensively monitors sync activities between Entra Connect and Active Directory, providing critical insights into potential security threats and anomalous activity. With this enhanced visibility in hybrid identity environments, Defender for Identity can now provide new Entra Connect-specific security alerts and posture recommendations, as detailed below.

Entra Connect sensor on the ID settings page

New Detection (Public Preview):

Suspicious interactive logon to Entra Connect server:

Logging directly into an Entra Connect server is highly unusual and potentially malicious. Attackers often target these servers to steal credentials for broader network access. Microsoft Defender for Identity now detects unusual logins to Entra Connect servers, helping you identify and respond to these potential threats more quickly. This is especially true if your Entra Connect server is a standalone server and does not operate as a domain controller.

• Prerequisite: Ensure that the 4624 logon event is enabled on the Entra Connect server. This step is only required if the Entra Connect server is not acting as a domain controller.

Reset your user password with your Entra Connect account:
Entra Connect connector accounts often have high privileges, including the ability to reset user passwords. Microsoft Defender for Identity now provides visibility into these actions and detects use of these privileges that are identified as malicious and unlawful. This alert is triggered only when: Password writing save function It is disabled.

Suspicious writeback from Entra Connect to sensitive users:

While Entra Connect already prevents write-backs for users in privileged groups, Microsoft Defender for Identity extends this protection by identifying additional types of sensitive accounts. This enhanced detection helps prevent unauthorized password resets on critical accounts, which can be a critical step in advanced attacks targeting both cloud and on-premises environments.

Additional improvements and features:

• New activity Password reset failed on sensitive account. Available in the ‘IdentityDirectoryEvents’ table in Advanced Hunting. This can help you track failed password reset events and create custom detections based on this data.
• Improved accuracy DC Synchronization Attack detection.
• New health alert If the sensor cannot retrieve its configuration from the Entra Connect service.
• We’ve expanded monitoring for security alerts, such as PowerShell Remote Execution Detector, by enabling new sensors on your Entra Connect server.

New detailed recommendations from Microsoft Secure Score (Identity Security Assessment):

Change the password for your Entra Connect connector account:
A compromised Entra Connect connector account (AD DS connector account, typically represented as MSOL_XXXXXXXX) grants access to high privileged functions such as replication and password reset, providing multiple vectors for an attacker to modify synchronization settings, compromise security across both cloud and on-premises environments, and potentially compromise an entire domain. For this assessment, we recommend that customers change the password on the MSOL account to the password it was last set 90 days ago.

Remove unnecessary replication permissions for your Entra Connect account.
By default, the Entra Connect connector account has extensive permissions to ensure proper synchronization (even though they are not actually required). If Password Hash Sync is not configured, it is important to remove unnecessary permissions to reduce the potential attack surface.

Change your password to configure your Entra Seamless SSO account:
This report lists everything Getting started with seamless SSO Computer account whose password was last set more than 90 days ago. The password for the Azure SSO computer account does not change automatically every 30 days. If an attacker compromises this account, they can create service tickets to the AZUREADSSOACC account on behalf of all users and impersonate all users in the Entra tenant that are synchronized in Active Directory. The attacker can use this to move laterally from Active Directory to the Entra identity.

Remove Resource-Based Constrained Delegation for Entra Seamless SSO Accounts:
When Resource-Based Constrained Delegation is configured on the AZUREADSSOACC computer account, the account with delegation can create service tickets to the AZUREADSSOACC account on behalf of all users and impersonate all users in the Entra tenant that are synced from AD.

To apply all new recommendations, you must install the sensor on the server running the Entra Connect service.
Recommendations related to Entra Seamless SSO accounts are only available if Defender for Identity can detect these types of computer accounts, while recommendations related to connector accounts are only available if the sensor is recognized as retrieving configuration data from the Entra Connect service.

New Entra Connect Recommendations in Microsoft Secure Score

As cyber threats become more sophisticated, the need for advanced security solutions is more pressing than ever. The new sensor for Entra Connect Server within Microsoft Defender for Identity represents a significant step forward in protecting and detecting threats within the identity fabric. By adopting this powerful tool, organizations can strengthen their security posture, protect their identity infrastructure, and maintain user trust.

We strongly recommend that customers install sensors on all domain controllers, AD CS, AD FS, or Entra Connect servers. In the coming weeks, our team will be looking more closely at potential improvements to Entra Connect support to help organizations better maintain security and protection.

Learn more about the new sensor in the documentation. here Stay tuned for more updates and insights on how MDI is innovating in the cybersecurity space to help your organization stay safe in an ever-changing digital world.