Listen to this Post
2025-02-11
Microsoft Entra ID, a core identity management service, has introduced an important feature called “protected actions,” designed to bolster security by preventing the permanent deletion of user accounts. This new security mechanism builds upon Conditional Access (CA) policies and aims to reduce the risk posed by attackers seeking to cause irreparable damage to organizations by exploiting high-risk operations, like the hard deletion of soft-deleted accounts. In this article, we will explore how protected actions work, their significance in organizational security, and best practices for implementing them.
Summary
Microsoft Entra
What Undercode Say:
Microsoft Entra
The primary goal of protected actions is to prevent attackers from exploiting permissions like User.DeleteRestore.All to permanently delete user accounts, an operation that could have severe repercussions. By leveraging Conditional Access policies, Entra ID ensures that only users who meet certain security standards, such as multi-factor authentication (MFA) or passwordless authentication, can perform high-risk actions. This not only adds a critical layer of protection but also increases the friction for potential attackers attempting to exploit vulnerabilities.
What makes this feature even more impressive is its ability to mitigate risks across various access points, including manual deletions and API-based operations. For example, using tools like Microsoft Graph PowerShell, attackers might try to bypass security, but protected actions block these attempts unless the necessary authentication conditions are met. This highlights how Microsoft is shifting towards a “zero-trust” model, where no operation is trusted without proper verification, regardless of the user’s privileges.
However, while protected actions enhance security, they are not a panacea. Attackers who gain full control of an organization’s tenant could still carry out harmful actions, but the additional barriers imposed by protected actions make such exploits significantly more difficult and time-consuming. This “friction” can be crucial in reducing the effectiveness of cyberattacks, buying organizations more time to detect and respond.
The implementation of protected actions also serves as a call to action for administrators to adopt a more granular and layered approach to security. Simply enabling this feature is not enough; administrators should also consider implementing best practices to ensure its effectiveness. One such best practice is the maintenance of an emergency account that is excluded from CA policies. This ensures that, in the event of a misconfiguration, administrators will not inadvertently lock themselves out of the system.
Another important aspect is the testing and validation of these security measures. Regular testing of protected actions ensures that security policies work as intended without causing disruptions to legitimate workflows. This testing process is crucial, as organizations must balance strong security with operational continuity.
Moreover, Microsoft encourages combining protected actions with other complementary security measures, such as Privileged Identity Management (PIM). By combining these layers of security, organizations can reduce the risk of privilege escalation and ensure that only trusted individuals can access high-risk operations.
In conclusion, Microsoft Entra IDās protected actions represent a significant step forward in enhancing the security posture of organizations by addressing one of the most critical vulnerabilities in identity management: the permanent deletion of accounts. While no security feature can guarantee complete protection, the of protected actions, when paired with best practices and additional safeguards, creates a formidable defense against unauthorized and malicious activity in Entra ID environments.
References:
Reported By: https://cyberpress.org/stopping-attackers-from-hard-deleting-entra-id-accounts/
https://www.medium.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
