We are thrilled to announce the general availability of the new response actions in Microsoft Defender for Identity, targeting on-premises Active Directory accounts in the event that an identity is compromised.
The Identity Detect and Response concept
We believe that the fundamentals of a strong identity security product are the following pillars:
- Prevent a malicious act attempting to compromise an identity and reduce the attack surface proactively
- Detect malicious attempts to compromise identities across identity assets (AD, AAD, endpoints, apps, SaaS)
- Investigate through identity activities and develop further insights. Map attacker trail & identify the scope of a breach
- Respond to compromised identities and stop further damage and attack persistence
While Microsoft Defender for Identity has traditionally offered top-notch detections, extensive investigation capabilities, and security posture assessments to prevent malicious acts, the response offering was always focused on the Azure Active Directory identity, with the ability to confirm user as compromised and disable the user’s cloud account.
The challenges with response on Azure Active Directory accounts
Microsoft’s identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
The cloud response actions work great when the users are cloud-only – you can disable the user, mark it as compromised, prompt for multi-factor authentication, or even reset their password. The problem begins when the identity spans across the cloud and the on-premises. For example, in order to actually apply a reset password on an Azure Active Directory account, that will sync to Active Directory, one would need to go through a process of enabling the password writeback to on-premise environment. Disabling as user on the Azure Active Directory on the other hand, will be overwritten by the next sync between Active Directory and Azure Active Directory, as the on-premises Active Directory will always have a priority, which cannot be changed.
Introducing – direct actions on the Active Directory account
With this new capability being introduced in Microsoft 365 Defender, you can now take the following actions directly on the on-premises account too:
Disable user – this will temporarily prevent a user from logging in to the network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
Reset user password – this will prompt the user to change their password on the next logon, ensuring that this account cannot be used for further impersonation attempts.
These actions can be taken from several locations in Microsoft 365 Defender. From the user page to user page side panel, advanced hunting and even as part of automatic response in custom detections.
These actions will require setting up a privileged gMSA account that Microsoft Defender for Identity will use to perform the actions. You can read about the requirements here:
https://docs.microsoft.com/en-us/defender-for-identity/manage-action-accounts
This enriches Microsoft’s XDR experience ever further. Empowering security teams to take comprehensive action on all managed identities in Microsoft 365 Defender and being able to link the response actions to detections from other workloads (like endpoint, Office 365 and cloud apps) means that threats can be identified and responded to quicker than ever before.
What does the future hold?
This is just the beginning of our response story. We are looking forward to hearing your feedback on what would you like to see next. Hint: On-premises MFA is on the way, so we challenge you to think harder.
As always, we’d love to know what you think.
Leave us feedback directly in Microsoft 365 Defender, or contact the team at: aatpfeedback@microsoft.com