The enigma of Entra ID security and management – and how Active Roles can help

Active Directory (AD) officially reaches its quarter-century this year, after its late-1990s preview and full release with Windows Server 2000. That’s over 25 years of providing administrators with tools to manage permissions, endpoints and access for network-based resources and objects. In that time, it’s grown to become the choice of around 90% of the Global Fortune 1000s.

In comparison, Entra ID is still in its relative infancy, having launched in 2023 as a renamed replacement for Azure AD and designed to “communicate the multi-cloud, multiplatform functionality of the products.” Yet the corporate world is rapidly going cloud-first, with over 70% of businesses predicted to use industry cloud platforms by 2027. This poses a big question for VPs, directors and heads of AD and IT: How do we maintain AD and harness Entra ID to manage hybrid environments and groups – while also keeping identities and privileges protected?

This current fragmentation can cause interoperability challenges that go far beyond risks to functionality – and toward risks to security. AD was created in a time when on-premises and perimeter-based security was the norm. And for many larger organizations, AD is also likely to have evolved over many years, perhaps incorporating mergers and acquisitions along the way.

Fast-forward to today’s distributed networks, remote workers and decentralized identities. Then add in the advent of generative AI, which is fueling an increase in “scale and sophistication of cybercrime, particularly identity theft and fraud." The resulting wider attack surface brings multiple complexities, but there are also legacy-based limitations such as AD's lack of cloud-native MFA and dynamic access policies. These are found with Entra ID, so let’s explore what else is available.

What is Entra ID?

Entra ID is an integrated, cloud-based identity and access management (IAM) solution that gives users a path to apps, devices and data.

This underscores the biggest difference from AD, which is deployed on-premises. The differences manifest themselves in many of the associated concepts like provisioning external identities. With AD, organizations create external users manually in a dedicated AD forest. As Microsoft points out, this approach leads to “administration overhead to manage the lifecycle of external identities (guest users)".

Without automation, there’s an increased likelihood of bottlenecks from manual delegations and approvals that rely on the time and resources of SysAdmins. The result can often be standing privileges, persistently left open for threat actors to exploit. A production environment or business-critical application might remain accessible to a contractor who completed the project months ago. Perhaps a user has switched departments but retained the elevated permissions from their previous role.

With Entra ID, it’s possible to implement CIAM that allows customers to automatically sign in using their existing identity. Entra ID also offers entitlement management, authenticating credentials to automate self-service flows such as access requests, reviews and expirations. This offers a simpler and more streamlined way to manage environments – as long as AD and Entra ID are aligned.

How to simplify and streamline hybrid Entra ID and AD environments

Misconfigurations in AD and Entra ID management can have major impacts, with privileges often at the heart of any issues. Every account and attribute in the directory has some type of privilege and permission. Legacy and traditional protocols can mean it’s faster to leave access open – but it also elevates the security risks.

Where possible, organizations should start by reviewing current AD infrastructure. That means assessing whether all structures are needed and reviewing all domain controllers. If an adversary can gain privileged access to a domain controller, they can read or write to systems and resources in the AD database, potentially corrupting or destroying within hours. Of course, this relies on knowing what exists, where it’s located, who has access and at what level. However, one of the biggest obstacles is the lack of visibility when managing groups across various AD and Entra ID environments.

That’s why this calls for a similarly hybrid identity management approach, as found with Microsoft Entra Connect. This puts identity at the center of logins, with users able to access both cloud and on-premises directories with Active Roles. Synchronization ensures corect functionality and adds security through password hashing.

Naturally, any account with Entra Connect privileges must be highly protected. Microsoft offers Virtualization-Based Security, in the form of Credential Guard, for preventing credential-based attacks and allowing only privileged system software to access secrets. Windows LAPS is another defense tool that allows regular rotation and management of local administrator account passwords, with protection against pass-the-hash and lateral-traversal attacks. There are also access control lists and password encryption for AD passwords.

Non-human entities often require authentication for services and resources, so Entra ID offers Workload ID for enterprise applications. This solution can create security policies that can be divided between software workloads and devices with conditional access. Because these operate autonomously, they’re often at a scale and speed that’s impossible for human teams to monitor. What’s more, as more of these entities require connections, the attack surface grows significantly. Workload ID solves this by allowing control of identity access with adaptive policies.

A role-based policy enforcement offers the dynamism and flexibility required for fast-paced multi-domain environments, taking into account human users and the rising number of entities that also need access. But security can be hard to enforce when the business scales or integrates with third-party or partner systems. Users with higher privileges, such as Entra ID application owners, should have controls such as MFA and unified SSO in place. These can act as a foundation for further strengthening of organizational security and management.

How to strengthen identity security with Entra ID as the foundation

Despite the speed of cloud-fueled change, AD remains integral to modern business processes, especially those that need isolated networks – such as healthcare for HIPAA compliance reasons, or manufacturers that rely on air-gapped Operational Technology without internet connection. But modern business demands increasingly call for cloud-based solutions. Companies are gaining competitive advantage with agility, elasticity and the ability to spin up instances on-demand rather than rely on static infrastructure.

The answer is to use Entra ID as the foundation for reviewing legacy AD systems and assessing suitability for migration to a cloud-based way of working. That’s where advantages such as automation are possible with solutions such as Active Roles, which provides multiple opportunities to find efficiency gains.

With such solutions, an organization can create user and group accounts in AD, Entra ID and M365 . User access updates can be synced and completed across any hybrid environments without relying on manual actions that can cause inconsistencies. This predefined, rule-based approach brings the real-time capability that AD, with its manual ‘select objects and add to groups’ mechanisms, can’t offer.

Active Roles also allows for more dynamic access, such as RBAC, with greater granularity when defining access and delegation for users and objects. Any changes to access for users or groups can be tracked and surfaced at any time. It offers an extension for privileged passwords, offering Just-In-Time (JIT) access for AD accounts. The increased dynamism also comes with an audit trail that hardens security with active logs and offers on-demand evidence when required by regulators.

These features can all be managed from one console, giving unified and synchronized protection for hybrid deployments across every domain and tenant. Active Roles also integrates with multiple One Identity products – including Identity Manager, Safeguard and Password Manager – along with extensions to PowerShell, ADSI and SPML.

Delivering hybrid identity security for a hybrid environment

Wherever there’s AD and Entra ID, there’s authentication. That’s why attackers often look there first when seeking out vulnerabilities. And that’s why strengthening the security posture starts with strengthening identity management.

After all, with millions of credentials available on the dark web, plus growing endpoints from non-human entities, threat actors have more choices and environments to target than ever before. Credential stuffing has long been a popular attack vector, partly due to the volume of leaks – nearly 10 billion passwords were posted on a hacking forum in 2024 – and partly because people reuse passwords across multiple sites.

The continued risk from password-based breaches is why the FBI and CISA advise “business owners of all sizes to move toward more robust security solutions—such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE)—that provide greater visibility of network activity.” This access to networks, and the ability to move laterally and undetected, helps explain why a reported 90% of organizations experienced an identity-related event in the last year.

Tackling identity sprawl is a major step toward successfully implementing these defense strategies, along with separation of duties and privileges. That requires simplifying the AD environment where possible, to be ready for integrating Entra ID’s multiple identity security solutions. After all, harnessing Entra ID allows you to capitalize on the new innovations and products built for cloud-based ways of working.

IT just needs a unified security and administration solution such as Active Roles to support modern cybersecurity strategies. Organizations can make use of automation to ensure consistent identity management, even at scale. There are greater opportunities to introduce dynamic, role-based access, which supports moves toward JIT, Zero Trust and PoLP. This leads to a strengthening of identities and a way to solve the enigma of managing security in a hybrid AD and Entra ID environment.

Blog Post CTA Image

Anonymous
Related Content