Microsoft has announced the general availability of new response actions in Microsoft Defender for Identity for on-premises Active Directory accounts when an identity is compromised and simultaneously protect identities across cloud and on-premise environments.
According to Microsoft, the core components of an identity security product should work to prevent malicious actions, detect them, investigate and respond accordingly. Defender for Identity offers detection, investigation and assessment capabilities, but the response offering was focused on Azure Active Directory identity, with the ability to confirm user as compromised and disable the user’s cloud account.
It is difficult to disable the user, mark it as compromised, prompt it for multi-factor authentication or reset the password across both the cloud and on-premises, Microsoft says in a Tech Community blog.
“For example, in order to actually apply a reset password on an Azure Active Directory account, that will sync to Active Directory, one would need to go through a process of enabling the password writeback to on-premise environment,” Microsoft says. “Disabling as user on the Azure Active Directory on the other hand, will be overwritten by the next sync between Active Directory and Azure Active Directory, as the on-premises Active Directory will always have a priority, which cannot be changed.”
With the new capabilities in Microsoft Defender for Identity, admins can temporarily prevent a user from logging into the network and prevent compromised users from moving laterally and exfiltrate data, in addition to prompting the user to change their password on their next logon to ensure the account can’t be used for other malicious activities.
In the blog, Microsoft explains that those actions can be taken from several locations in Microsoft 365 Defender, including form the user page, user side panel, advanced hunting and as part of automatic response in custom detections.
However, doing so will require setting up a privileged gMSA account that Defender will use to perform those actions.
“This enriches Microsoft’s XDR experience even further. Empowering security teams to take comprehensive action on all managed identities in Microsoft 365 Defender and being able to link the response actions to detections from other workloads (like endpoint, Office 365 and cloud apps) means that threats can be identified and responded to quicker than ever before,” the company says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!