Integrating Microsoft Defender for Identity Signals with Entra Recommendations

Last year, we added new security signals to Entra Recommendations to help strengthen your organization’s security posture and offer actionable insights to help identity and effectively mitigate risks. The primary objective of Microsoft Entra recommendations is to serve as a trusted advisor for enhancing security posture especially as cybersecurity threats become more refined with new AI and Agentic scenarios. We also aim to combine best practices and industry standards across a range of Microsoft Security offerings to assist in securing your organization on a singular platform, while still improving employee productivity and enabling Zero Trust. 

Posture is a critical first step in any successful Identity Threat Detection and Response (ITDR) practice. By combining best practices from identity and access management with additional security signals from Defender, Microsoft helps our customers continuously strengthen their security posture through a seamless feedback loop. As the security landscape evolves, we are bringing more visibility into your organization’s security posture through the addition of Identity Secure Score recommendations from Microsoft Defender for Identity that are now in public preview. These recommendations are not only focused on helping you prevent, detect, and respond to identity-based cyberattacks, but also drives visibility and alignment across identity and security teams. 

To find your new Identity Secure Score Recommendations, go to the Microsoft Entra Admin Center and navigate to Overview > Recommendations.

Here, you will see the new security controls that can be used in scenarios ranging from Agentic AI, network access and identity threat detection and response:

Below are the latest Identity Secure Score Recommendations and their details:

1. Edit misconfigured enrollment agent certificate template – Enrollment agent certificates can authenticate as IT Admin and request a certificate on behalf of a user. If your tenant has a permissive template combined with another that supports agent enrollment, attackers can exploit this to issue certificates for any user in a domain – including privileged accounts. We recommend modifying this to prevent lateral movement across your environment.
2. Remove unsafe permissions on sensitive Entra Connect accounts - On-prem and cloud identity systems are critical to hybrid identity. If they have unsafe permissions, attackers could exploit them to take over your environment which them high-value targets.
3. Reversible passwords found in GPOs - If your organization ever used Group Policy Preferences (GPP) to deploy credentials, there’s a chance those passwords are still inside a system volume (SYSVOL) folder. Even though Microsoft disabled this feature in MS14-025, the leftover XML files can still be accessed and decrypted by any domain user using a publicly available Advanced Encryption Standard (AES) key. These files are a low-effort, high-reward target for attackers looking to exploit your environment so we recommend removing these.
4. Stop clear text credentials exposure - Entities exposing credentials in clear text increase risk as unsecure traffic, such as Lightweight Directory Access Protocol (LDAP) simple-bind, is highly susceptible to interception. Attackers can then engage in malicious activities like stealing credentials. Through a security assessment, Microsoft Defender for Identity detects credentials being exposed in clear text through network traffic and event monitoring.
5. Remove dormant accounts from sensitive groups - An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups. Removing dormant account access rights or deleting the account will help protect your organization's sensitive data and prevent further compromise. Accounts become dormant if they are not used for a period of 180 days.
6. Stop weak cipher usage - Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade.
7. Edit misconfigured certificate templates ACL - Certificate templates are Active Directory objects, with an access control list that defines access to the template. Misconfigured access control may result in any user being capable of tampering the template settings, resulting in privilege-escalation.
8. Modify unsecure Kerberos delegations to prevent impersonation - Kerberos delegation is a setting that allows applications to request end-user access credentials to access resources on behalf of the originating user. An unsecure Kerberos delegation provides an entity with the ability to impersonate you to any other chosen service. We detect which of your non-domain controller entities are configured for unsecure Kerberos delegation and provide remediation steps for this.
9. Protect and manage local admin passwords with Microsoft LAPS - Local Administrator Password Solution (LAPS) provides management of local account passwords for domain joined computers. LAPS passwords are stored in your Active Directory (AD) and are protected by ACL, so only eligible users can read or request a reset. Microsoft recommends installing LAPS in your environment.
10. Rotate password for Entra Connect Active Directory Domain Services (AD DS) Connector account - Your connector accounts play a key role in syncing identities between on-prem and cloud. If their passwords haven’t been rotated or updated in over 90 days, they could become a weak link in your hybrid identity setup. Stale credentials increase the risk of compromise, especially for high-privilege service accounts.
11. Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector - If your Entra Connect AD DS Connector account is a member of Domain Admins or Enterprise Admins, it has broad privileges. Using overly privileged accounts for Entra Connect increases your attack surface and violates least privilege principles. We recommend removing/replacing exposed accounts (and their group memberships) that do not need these privileges.
12. Configure VPN integration - Simplify your attack investigation process with the inclusion of Microsoft Defender for Identity user account information, especially when paired with additional information provided by Defender for Identity about user activities and the latest alerts about abnormal VPN connections. The Microsoft Defender for Identity VPN integration cloud solutions collect account information from your VPN solutions and populate user profile pages with your user's VPN connections, such as IP addresses and locations where connections originated.
13. Group Policy Object (GPO) assigns unprivileged identities to local groups with elevated privileges - This recommendation addresses one of the most critical misconfigurations we observe in enterprise environments. GPOs that inadvertently assign elevated privileges to standard accounts create significant security gaps. Organizations often implement these configurations during routine administrative tasks without fully understanding the privilege escalation risks they introduce.
14. Reduce lateral movement path risk to sensitive entities - Our analysis of enterprise networks reveals complex attack paths that threat actors exploit to reach high-value targets. This recommendation leverages the Microsoft Defender for Identity advanced behavioral analysis and entity relationship mapping to identify specific network segments and access controls that can effectively block lateral movement attempts before they reach sensitive assets. The insights are surfaced through Entra's unified security recommendations interface.
15. Disable Print spooler service on domain controllers - Following extensive research into attack surface reduction, this recommendation identifies domain controllers running unnecessary services that present exploitation opportunities. The Print Spooler service,  in particular, has been the subject of significant security research and should be disabled on domain controllers where it serves no business purpose.
16. Resolve Unsecure Account Attributes - This recommendation identifies accounts configured with security-weakening attributes such as non-expiring passwords, delegation trust settings, or reversible password encryption. These configurations often remain from legacy implementations and create unnecessary security exposure in modern environments.
17. Remove access rights on suspicious accounts with the Admin SDHolder permission - The AdminSDHolder mechanism protects high-privilege accounts through automated permission inheritance. However, misconfigurations can result in unauthorized accounts gaining persistent administrative access. This recommendation identifies accounts with AdminSDHolder permissions that don't align with legitimate administrative roles.

18. Remove non-admin accounts with DCsync permissions - DCsync replication rights enable complete domain credential extraction and should be restricted to domain controllers and essential administrative accounts. This recommendation identifies service accounts, user accounts, or groups with unnecessary DCsync permissions that could facilitate credential theft attacks.

19. Ensure privileged accounts are not delegated - Account delegation features can create unintended privilege escalation paths when applied to high-privilege accounts. This recommendation identifies privileged accounts configured for delegation that could allow other systems to impersonate critical administrative identities.
20. Edit overly permissive Certificate Template with privileged EKU - Certificate templates configured with overly broad Extended Key Usage values, particularly "Any Purpose," create opportunities for certificate abuse. This recommendation identifies templates that could enable authentication bypass or privilege escalation through certificate-based attacks.
21. Edit misconfigured certificate templates owner - Certificate template ownership controls are critical for maintaining template integrity. This recommendation addresses the ESC4 attack technique by identifying templates with inappropriate ownership assignments that could allow unauthorized modification.
22. Edit misconfigured Certificate Authority ACL - Certificate Authority Access Control Lists require careful configuration to prevent unauthorized certificate issuance. This recommendation identifies CA ACL misconfigurations that enable the ESC7 attack technique.
23. Edit vulnerable Certificate Authority setting - Specific Certificate Authority flags can create security vulnerabilities when enabled inappropriately. This recommendation identifies CA configurations that enable subject alternative name manipulation through the ESC6 technique.

24. Prevent Certificate Enrollment with arbitrary application policies - Certificate templates that allow arbitrary application policy specification create broad attack surfaces. This recommendation addresses the ESC11 vulnerability by identifying templates that permit unrestricted application policy enrollment.

To stay up to date with the latest recommendations, visit Microsoft Entra recommendations in your Microsoft Entra portal, where we continuously release new guidance to help you strengthen your identity posture. In the coming months, we’ll be integrating more Microsoft Defender for Identity Recommendations to enhance your visibility and control over your overall security posture, as well as Microsoft Entra Suite recommendations tailored to align your organization’s Zero Trust approach. These updates represent a growing ecosystem of signals that feed directly into your ITDR strategy, which means greater visibility into risk and faster remediation. With Microsoft, you can move from reactive response to proactive defense, giving your security and identity admins deeper visibility across their identity fabric.

Read more on this topic

• What are Microsoft Entra recommendations? 
• Entra Recommendation APIs 
• Learn more at Microsoft ITDR

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• Microsoft Entra News and Insights | Microsoft Security Blog  
• ⁠⁠Microsoft Entra blog | Tech Community  
• ⁠Microsoft Entra documentation | Microsoft Learn 
• Microsoft Entra discussions | Microsoft Community