Securing Hybrid Identity

Uploaded on 2022-09-14 in TECHNOLOGY--Resilience, FREE TO VIEW

Identity is the new security perimeter. Any breach in this perimeter can enable malicious users to gain access to your apps, your data, and your business operations. For organisations that rely on Azure Active Directory  or a hybrid environment of Azure AD and on-premises Active Directory to provide identity services, securing hybrid identity can be a complex and time-consuming task. Yet it’s one that’s absolutely vital. 

Hybrid environments, especially, are prone to errors and misconfigurations that leave the door wide open to cyber attacks. And by compromising your on-prem Active Directory, attackers can extend their dirty work into Azure AD or vice versa. The SolarWinds attack is a prime example of this type of strategy. 

The challenges of securing hybrid identities are quite different from those found in purely on-premises environments. If your infrastructure includes Azure AD - and if your organisation uses Microsoft Office 365, it does - here are the top issues to guard against. 

Lateral Attacks From Within On-Premises AD 

Cyber criminals often use phishing and social engineering attacks to target vulnerable users and trick them into disclosing sensitive information, including identity credentials. The SolarWinds and Colonial Pipeline attacks illustrate the risk. The threat actors in these cyberattacks gained dominance over on-premises AD, compromised the ADFS federation to forge SAML tokens, and gained access to Azure AD. 

What You Can Do To Thwart Attackers When Securing Hybrid Identity 

First and most obvious, enforce MFA. Stolen identity credentials are one of cyber attackers’ most dangerous tools, and the use of those credentials can go undetected for long periods. Not all monitoring systems flag unusual account activity, so this additional layer of protection is important. 

Second, understand that modern hybrid identity management calls for additional security controls beyond those available in a traditional ADFS deployment. Maintaining the necessary infrastructure to host ADFS carries its own risks, including missed patches, outdated hardware, and so on. 

Instead, consider AD Pass-through Authentication, which enables use of the same password to log in to both on-premises and cloud applications. This approach uses an outbound-only connection model and certificate-based authentication to delegate the authentication process to the on-premises Active Directory, providing a more secure alternative to ADFS. You can also integrate AD Pass-through Authentication with other Azure AD security measures to guard against infiltrations and credential thefts. And you can synchronize AD password hashes to Azure AD. 

You might also consider Azure AD Application Proxy, which uses Azure AD credentials to configure secure remote access to applications hosted on-premises and provides the same user experience as any Azure AD-integrated application. 

Configuration Creep & Complexity 

Hybrid identity protection complicates your job—whether you’re an AD admin, an identity pro, or a security expert. Threats are continually evolving and locking down access to your Tier 0 assets—including AD and Azure AD—is a time-consuming chore. But neglect it, and you can easily find yourself spending that time scrambling to recover AD from a cyberattack. 

Using Azure AD for third-party application authentication adds complexity to the security model. In some cases, these apps can read and store data from Azure AD, extending your risk perimeter and leaving data security dependent on the third-party application with which Azure AD integrates. 

Another possible weak spot is the level of permissions given to applications in Azure AD. If you don’t carefully review permission settings before granting access, these apps might end up with more permissions in Azure AD than they require. This potential oversight adds to the risk of applications making changes in the AD tenant. And security measures like MFA might not work for some apps, making them dependent on whatever security controls the app can provide. 

What You Can Do To Tighten Access 

These potential security gap calls for strict governance and periodic audits of app permissions to understand where to implement additional restrictions. Tie up any loose ends and ensure that you have the right set of roles enabled in Azure AD, audit app permission settings and tighten app security configurations, and add guardrails such as MFA. 

Also, evaluate the way you manage RBAC. The assignment of roles in Azure AD differs from traditional AD access management, so carefully consider how roles are defined and permissions granted. 

Following the principle of least privilege is important when securing hybrid identity. Don’t add accounts that you synchronised from on-prem AD to Azure AD into a privileged RBAC role such as Global Administrators. Reserve those highly privileged roles for native Azure AD accounts. You can also create Administrative Units in your Azure AD tenant. This capability enables you to restrict the objects that IT team members can manage via a specific RBAC role, further supporting least privilege. 

Misconfigurations & Other Security Vulnerabilities 

Misconfigurations and security vulnerabilities associated with your identity management solution provide access points for cyber attackers. Azure AD consists of managed services; Microsoft manages the security of its underlying infrastructure in the cloud. But the security of your data and Azure AD configuration is your responsibility. 

During a cyberattack, attackers can alter or wipe out users, groups, roles, conditional access policies, and so on. Unless you have a proper recovery plan, you could be looking at a devastating and long-lasting impact. There are few native controls to protect data or configurations in Azure AD from being overwritten during an attack. 
What you can do to make securing hybrid identity less complicated 

The Azure AD recycle bin provides a soft delete feature that can help you restore deleted users. However, this feature has minimal capabilities to restore anything beyond a 30-day window. 

Other forms of compromise can be difficult to detect and mitigate, especially if attackers move laterally from on-prem AD to the cloud. In addition to native security measures, IT leaders should explore tools with advanced capabilities to help you track attacks that could extend laterally across hybrid environments. change-tracking and auto-remediation features can protect against stolen credentials and malicious insiders. Always have a proactive, tested recovery plan for Active Directory and Azure AD. 

Guido Grillenmeier is Chief Technologist at Semperis  

You Might Also Read: 

Detecting & Mitigating Cyber Attacks:

 

« India's Health Systems Are A Top Target
NATO Secrets Found For Sale On The Dark Web »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

SecureAuth

SecureAuth

SecureAuth delivers cutting edge identity and information security solutions for cloud, mobile, web, and VPN systems.

PortSwigger

PortSwigger

PortSwigger's Burp Suite is an integrated platform for performing security testing of web applications.

Ericsson

Ericsson

Ericsson is a leading provider of telecommunications services and network infrastructure solutions including all aspects of network security.

AET Europe

AET Europe

AET Europe is specialised in creating technological solutions for user identification and authentication.

National Information Technology Development Agency (NITDA) - Nigeria

National Information Technology Development Agency (NITDA) - Nigeria

The National Information Technology Development Agency (NITDA) is committed to implementing the Nigerian National Information Technology Policy.

cPacket Networks

cPacket Networks

cPacket’s distributed intelligence enables network operators to proactively identify imminent issues before they negatively impact end-users.

IUCC Cyber Unit - Israel

IUCC Cyber Unit - Israel

IUCC Cyber Unit safeguards Israel’s National Research & Education Network (NREN).

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Injazat

Injazat

Injazat Data Systems is an industry recognized market leader in the Gulf region for Information Technology, Data Center and Managed Services.

C2SEC

C2SEC

C2Sec provides an innovative analytics platform that assesses and quantifies cyber risks in financial terms based on combining patented big data, AI, and cybersecurity technologies.

Acmetek Global Solutions

Acmetek Global Solutions

Acmetek is a Global Distributor and a Trusted Advisor of PKI /IOT & SSL Security Products and a Managed Services Company.

Lancera

Lancera

Lancera provides growth accelerating Software Development, Web Presence and Cybersecurity Solutions with a focus on customer happiness.

European Data Protection Supervisor (EDPS)

European Data Protection Supervisor (EDPS)

The EDPS is the European Union’s independent data protection authority. We monitor and ensure the protection of personal data and privacy when EU institutions and bodies process personal information.

Rebellion Defense

Rebellion Defense

Rebellion Defense is a technology company developing advanced software to ensure mission-critical organizations stay ahead of emerging threats.

NOYB

NOYB

NOYB is a non-profit organization aiming to close the gap between privacy laws and the reality of corporate practice.

Cyberr

Cyberr

We’re transforming cybersecurity recruitment with Cyberr Intelligence – the AI-driven platform that connects top cybersecurity talent, both freelance and permanent, with leading employers worldwide.