Secure Score Recommendations from Microsoft Defender are now available in Entra Recommendations.
Last year, we added new security signals to Entra Recommendations to help strengthen your organization’s security posture and offer actionable insights to help identity and effectively mitigate risks. The primary objective of Microsoft Entra recommendations is to serve as a trusted advisor for enhancing security posture especially as cybersecurity threats become more refined with new AI and Agentic scenarios. We also aim to combine best practices and industry standards across a range of Microsoft Security offerings to assist in securing your organization on a singular platform, while still improving employee productivity and enabling Zero Trust.
Posture is a critical first step in any successful Identity Threat Detection and Response (ITDR) practice. By combining best practices from identity and access management with additional security signals from Defender, Microsoft helps our customers continuously strengthen their security posture through a seamless feedback loop. As the security landscape evolves, we are bringing more visibility into your organization’s security posture through the addition of 12 Identity Secure Score recommendations from Microsoft Defender for Identity that are now in public preview. These recommendations are not only focused on helping you prevent, detect, and respond to identity-based cyberattacks, but also drives visibility and alignment across identity and security teams.
To find your new Identity Secure Score Recommendations, go to the Microsoft Entra Admin Center and navigate to Overview > Recommendations.
Here, you will see the new security controls that can be used in scenarios ranging from Agentic AI, network access and identity threat detection and response:
Below are the 12 latest Identity Secure Score Recommendations and their details:
- Edit misconfigured enrollment agent certificate template – Enrollment agent certificates can authenticate as IT Admin and request a certificate on behalf of a user. If your tenant has a permissive template combined with another that supports agent enrollment, attackers can exploit this to issue certificates for any user in a domain – including privileged accounts. We recommend modifying this to prevent lateral movement across your environment.
- Remove unsafe permissions on sensitive Entra Connect accounts - On-prem and cloud identity systems are critical to hybrid identity. If they have unsafe permissions, attackers could exploit them to take over your environment which them high-value targets.
- Reversible passwords found in GPOs - If your organization ever used Group Policy Preferences (GPP) to deploy credentials, there’s a chance those passwords are still inside a system volume (SYSVOL) folder. Even though Microsoft disabled this feature in MS14-025, the leftover XML files can still be accessed and decrypted by any domain user using a publicly available Advanced Encryption Standard (AES) key. These files are a low-effort, high-reward target for attackers looking to exploit your environment so we recommend removing these.
- Stop clear text credentials exposure - Entities exposing credentials in clear text increase risk as unsecure traffic, such as Lightweight Directory Access Protocol (LDAP) simple-bind, is highly susceptible to interception. Attackers can then engage in malicious activities like stealing credentials. Through a security assessment, Microsoft Defender for Identity detects credentials being exposed in clear text through network traffic and event monitoring.
- Remove dormant accounts from sensitive groups - An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups. Removing dormant account access rights or deleting the account will help protect your organization's sensitive data and prevent further compromise. Accounts become dormant if they are not used for a period of 180 days.
- Stop weak cipher usage - Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade.
- Edit misconfigured certificate templates ACL - Certificate templates are Active Directory objects, with an access control list that defines access to the template. Misconfigured access control may result in any user being capable of tampering the template settings, resulting in privilege-escalation.
- Modify unsecure Kerberos delegations to prevent impersonation - Kerberos delegation is a setting that allows applications to request end-user access credentials to access resources on behalf of the originating user. An unsecure Kerberos delegation provides an entity with the ability to impersonate you to any other chosen service. We detect which of your non-domain controller entities are configured for unsecure Kerberos delegation and provide remediation steps for this.
- Protect and manage local admin passwords with Microsoft LAPS - Local Administrator Password Solution (LAPS) provides management of local account passwords for domain joined computers. LAPS passwords are stored in your Active Directory (AD) and are protected by ACL, so only eligible users can read or request a reset. Microsoft recommends installing LAPS in your environment.
- Rotate password for Entra Connect Active Directory Domain Services (AD DS) Connector account - Your connector accounts play a key role in syncing identities between on-prem and cloud. If their passwords haven’t been rotated or updated in over 90 days, they could become a weak link in your hybrid identity setup. Stale credentials increase the risk of compromise, especially for high-privilege service accounts.
- Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector - If your Entra Connect AD DS Connector account is a member of Domain Admins or Enterprise Admins, it has broad privileges. Using overly privileged accounts for Entra Connect increases your attack surface and violates least privilege principles. We recommend removing/replacing exposed accounts (and their group memberships) that do not need these privileges.
- Configure VPN integration - Simplify your attack investigation process with the inclusion of Microsoft Defender for Identity user account information, especially when paired with additional information provided by Defender for Identity about user activities and the latest alerts about abnormal VPN connections. The Microsoft Defender for Identity VPN integration cloud solutions collect account information from your VPN solutions and populate user profile pages with your user's VPN connections, such as IP addresses and locations where connections originated.
To stay up-to-date with the latest Recommendations, visit Microsoft Entra recommendations in your Entra portal, where we continuously release new guidance to help you strengthen your identity posture. In the coming months, we’ll be integrating more Microsoft Defender for Identity Recommendations to enhance your visibility and control over your overall security posture, as well as Microsoft Entra Suite recommendations tailored to align your organization’s Zero Trust approach. These updates represent a growing ecosystem of signals that feed directly into your ITDR strategy, which means greater visibility into risk and faster remediation. With Microsoft, you can move from reactive response to proactive defense, giving your security and identity admins deeper visibility across their identity fabric.
Read more on this topic
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft