{
	"id": "66e6dac3-e615-4a61-8963-1a76acce7814",
	"created_at": "2026-04-06T00:16:04.924984Z",
	"updated_at": "2026-04-10T03:21:26.528346Z",
	"deleted_at": null,
	"sha1_hash": "c5db57c8f76d6236299de7d8fbec23ce1862f933",
	"title": "Protect Microsoft 365 from on-premises attacks - Microsoft Entra",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 117726,
	"plain_text": "Protect Microsoft 365 from on-premises attacks - Microsoft Entra\r\nBy janicericketts\r\nArchived: 2026-04-05 13:22:52 UTC\r\nMany customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and\r\napplications. Threat actors can compromise these private networks in many well-documented ways. Microsoft 365\r\nacts as a sort of nervous system for organizations that invested in modernizing their environment to the cloud. It's\r\ncritical to protect Microsoft 365 from on-premises infrastructure compromise.\r\nThis article shows you how to configure your systems to help protect your Microsoft 365 cloud environment from\r\non-premises compromise:\r\nMicrosoft Entra tenant configuration settings.\r\nHow you can safely connect Microsoft Entra tenants to on-premises systems.\r\nThe tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises\r\ncompromise.\r\nMicrosoft strongly recommends that you implement the guidance in this article.\r\nThreat sources in on-premises environments\r\nYour Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure.\r\nMicrosoft 365 uses machine learning and human intelligence to look across worldwide traffic. It can rapidly detect\r\nattacks and allow you to reconfigure nearly in real time.\r\nHybrid deployments can connect on-premises infrastructure to Microsoft 365. In such deployments, many\r\norganizations delegate trust to on-premises components for critical authentication and directory object state\r\nmanagement decisions. If threat actors compromise the on-premises environment, these trust relationships become\r\nopportunities for them to also compromise your Microsoft 365 environment.\r\nThe two primary threat vectors are federation trust relationships and account synchronization. Both vectors can\r\ngrant an attacker administrative access to your cloud.\r\nFederated trust relationships, such as Security Assertions Markup Language (SAML) authentication, are\r\nused to authenticate to Microsoft 365 through your on-premises identity infrastructure. If a SAML token-signing certificate is compromised, federation allows anyone who has that certificate to impersonate any\r\nuser in your cloud. To mitigate this vector, we recommend that you disable federation trust relationships for\r\nauthentication to Microsoft 365 when possible. We also recommend migrating other applications that use\r\non-premises federation infrastructure to use Microsoft Entra for authentication.\r\nUse account synchronization to modify privileged users, including their credentials, or groups that have\r\nadministrative privileges in Microsoft 365. To mitigate this vector, we recommend that you ensure that\r\nsynchronized objects hold no privileges beyond a user in Microsoft 365. You can control privileges either\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 1 of 8\n\ndirectly or through inclusion in trusted roles or groups. Ensure these objects have no direct or nested\r\nassignment in trusted cloud roles or groups.\r\nProtect Microsoft 365 from on-premises compromise\r\nTo address on-premises threats, we recommend you adhere to the four principles that the following diagram\r\nillustrates.\r\nDiagram showing reference architecture for protecting Microsoft 365, as described in the following list.\r\n1. Fully isolate your Microsoft 365 administrator accounts. They should be:\r\nCloud-native accounts.\r\nAuthenticated by using phishing-resistant credentials.\r\nSecured by Microsoft Entra Conditional Access.\r\nAccessed only by using Cloud-managed privileged access workstations.\r\nThese administrator accounts are restricted-use accounts. No on-premises accounts should have\r\nadministrative privileges in Microsoft 365.\r\nFor more information, see About admin roles and Roles for Microsoft 365 in Microsoft Entra ID.\r\n2. Manage devices from Microsoft 365. Use Microsoft Entra join and cloud-based mobile device\r\nmanagement (MDM) to eliminate dependencies on your on-premises device management infrastructure.\r\nThese dependencies can compromise device and security controls.\r\n3. Ensure no on-premises account has elevated privileges to Microsoft 365. Some accounts access on-premises applications that require NTLM, Lightweight Directory Access Protocol (LDAP), or Kerberos\r\nauthentication. These accounts must be in the organization's on-premises identity infrastructure. Ensure\r\nthat you don't include these accounts, along with service accounts, in privileged cloud roles or groups.\r\nEnsure that changes to these accounts can't affect the integrity of your cloud environment. Privileged on-premises software must not be capable of affecting Microsoft 365 privileged accounts or roles.\r\n4. Use Microsoft Entra cloud authentication to eliminate dependencies on your on-premises credentials.\r\nAlways use phishing-resistant authentication methods, such as Windows Hello for Business, Platform\r\nCredential for macOS, Passkeys (FIDO2), Microsoft Authenticator passkeys, or certificate-based\r\nauthentication.\r\nSpecific security recommendations\r\nThe following sections provide guidance on how to implement the principles in this article.\r\nIsolate privileged identities\r\nIn Microsoft Entra ID, users who have privileged roles, such as administrators, are the root of trust to build and\r\nmanage the rest of the environment. Implement the following practices to minimize the effects of a compromise.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 2 of 8\n\nUse cloud-only accounts for Microsoft Entra ID and Microsoft 365 privileged roles.\r\nDeploy privileged access devices for privileged access to manage Microsoft 365 and Microsoft Entra ID.\r\nSee Device roles and profiles.\r\nDeploy Microsoft Entra Privileged Identity Management (PIM) for just-in-time access to all human\r\naccounts that have privileged roles. Require phishing-resistant authentication to activate roles.\r\nProvide administrative roles that allow the least privilege necessary to do required tasks. See Least\r\nprivileged roles by task in Microsoft Entra ID.\r\nTo enable a rich role assignment experience that includes delegation and multiple roles at the same time,\r\nconsider using Microsoft Entra security groups or Microsoft 365 Groups. Collectively, we call these cloud\r\ngroups.\r\nEnable role-based access control. See Assign Microsoft Entra roles. Use administrative units in Microsoft\r\nEntra ID to restrict the scope of roles to a portion of the organization.\r\nDeploy emergency access accounts rather than on-premises password vaults to store credentials. See\r\nManage emergency access accounts in Microsoft Entra ID.\r\nFor more information, see Securing privileged access and Secure access practices for administrators in Microsoft\r\nEntra ID.\r\nUse cloud authentication\r\nCredentials are a primary attack vector. Implement the following practices to make credentials more secure:\r\nDeploy passwordless authentication. Reduce the use of passwords as much as possible by deploying\r\npasswordless credentials. You can manage and validate these credentials natively in the cloud. For more\r\ninformation, see Get started with phishing-resistant passwordless authentication deployment in Microsoft\r\nEntra ID. Choose from these authentication methods:\r\nWindows Hello for Business\r\nPlatform Credential for macOS\r\nMicrosoft Authenticator app\r\nPasskeys FIDO2)\r\nMicrosoft Entra Certificate-based authentication\r\nDeploy multifactor authentication. For more information, see Plan a Microsoft Entra multifactor\r\nauthentication deployment. Provision multiple strong credentials by using Microsoft Entra multifactor\r\nauthentication. That way, access to cloud resources requires a Microsoft Entra ID managed credential in\r\naddition to an on-premises password. For more information, see Build resilience with credential\r\nmanagement and Create a resilient access control management strategy by using Microsoft Entra ID.\r\nModernize SSO from devices. Utilize the modern Single Sign On (SSO) capabilities of Windows 11,\r\nmacOS, Linux, and mobile devices.\r\nConsiderations. Hybrid account password management requires hybrid components such as password\r\nprotection agents and password writeback agents. If attackers compromise your on-premises infrastructure,\r\nthey can control the machines on which these agents reside. This vulnerability doesn't compromise your\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 3 of 8\n\ncloud infrastructure. Using cloud accounts for privileged roles doesn't protect these hybrid components\r\nfrom on-premises compromise.\r\nThe default password expiration policy in Microsoft Entra sets the account password of synchronized on-premises accounts to Never Expire. You can mitigate this setting with on-premises Active Directory\r\npassword settings. If your instance of Active Directory is compromised and synchronization is disabled, set\r\nthe CloudPasswordPolicyForPasswordSyncedUsersEnabled option to force password changes or move\r\naway from passwords to phishing-resistant password authentication.\r\nProvision user access from the cloud\r\nProvisioning refers to the creation of user accounts and groups in applications or identity providers.\r\nDiagram of provisioning architecture shows the interaction of Microsoft Entra ID with Cloud HR, Microsoft\r\nEntra B2B, Azure app provisioning, and group-based licensing.\r\nWe recommend the following provisioning methods:\r\nProvision from cloud HR apps to Microsoft Entra ID. This provisioning enables an on-premises\r\ncompromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud\r\nHR apps to Microsoft Entra ID.\r\nCloud applications. Where possible, deploy app provisioning in Microsoft Entra ID as opposed to on-premises provisioning solutions. This method protects some of your software-as-a-service (SaaS) apps\r\nfrom malicious attacker profiles in on-premises breaches.\r\nExternal identities. Use Microsoft Entra External ID B2B collaboration to reduce the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate\r\nany direct federation with other identity providers. We recommend limiting B2B guest accounts in the\r\nfollowing ways:\r\nLimit guest access to browsing groups and other properties in the directory. Use the external\r\ncollaboration settings to restrict guests' ability to read groups of which they're not members.\r\nBlock access to the Azure portal. You can make rare necessary exceptions. Create a Conditional\r\nAccess policy that includes all guests and external users. Then implement a policy to block access.\r\nDisconnected forests. Use Microsoft Entra cloud provisioning to connect to disconnected forests. This\r\napproach eliminates the need to establish cross-forest connectivity or trusts, which can broaden the effect\r\nof an on-premises breach. For more information, see What is Microsoft Entra Connect Cloud Sync.\r\nConsiderations. When used to provision hybrid accounts, the Microsoft Entra ID-from-cloud-HR system\r\nrelies on on-premises synchronization to complete the data flow from Active Directory to Microsoft Entra\r\nID. If synchronization is interrupted, new employee records won't be available in Microsoft Entra ID.\r\nUse cloud groups for collaboration and access\r\nCloud groups allow you to decouple your collaboration and access from your on-premises infrastructure.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 4 of 8\n\nCollaboration. Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission\r\non-premises distribution lists and upgrade distribution lists to Microsoft 365 Groups in Outlook.\r\nAccess. Use Microsoft Entra security groups or Microsoft 365 Groups to authorize access to applications in\r\nMicrosoft Entra ID. To control access to on-premises applications, consider provisioning groups to Active\r\nDirectory using Microsoft Entra Cloud Sync.\r\nLicensing. Use group-based licensing to provision to Microsoft services by using cloud-only groups. This\r\nmethod decouples control of group membership from on-premises infrastructure.\r\nConsider owners of groups used for access as privileged identities to avoid membership takeover in an on-premises compromise. Takeovers include direct on-premises group membership manipulation or on-premises\r\nattribute manipulation that can affect Microsoft 365 dynamic group membership.\r\nManage devices from the cloud\r\nSecurely manage devices with Microsoft Entra capabilities.\r\nDeploy Microsoft Entra joined Windows 11 workstations with mobile device management policies. Enable\r\nWindows Autopilot for a fully automated provisioning experience. See Plan your Microsoft Entra join\r\nimplementation.\r\nUse Windows 11 workstations with the latest updates deployed.\r\nDeprecate machines that run Windows 10 and earlier.\r\nDon't deploy computers that have server operating systems as workstations.\r\nUse Microsoft Intune as the authority for all device management workloads, including Windows, macOS,\r\niOS, Android, and Linux.\r\nDeploy the iOS Enterprise SSO Extension.\r\nDeploy the macOS Enterprise SSO Extension or Platform SSO Secure Enclave Key.\r\nDeploy privileged access devices. For more information, see Device roles and profiles.\r\nWorkloads, applications, and resources\r\nThis section provides recommendations to protect from on-premises attacks on workloads, applications, and\r\nresources.\r\nOn-premises single-sign-on (SSO) systems. Deprecate any on-premises federation and web access\r\nmanagement infrastructure. Configure applications to use Microsoft Entra ID. If you're using AD FS for\r\nfederation, see Understand the stages of migrating application authentication from AD FS to Microsoft\r\nEntra ID.\r\nSaaS and line-of-business (LOB) applications that support modern authentication protocols. Use\r\nsingle sign-on in Microsoft Entra ID. Configure apps to use Microsoft Entra ID for authentication to reduce\r\nrisk in an on-premises compromise.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 5 of 8\n\nLegacy applications. You can enable authentication, authorization, and remote access to legacy\r\napplications that don't support modern authentication by using Microsoft Entra Private Access. As a first\r\nstep, enable modern access to the internal networks using Microsoft Entra Private Access Quick Access.\r\nThis step provides a quick and easy way to replace your VPN one-time configuration using the secure\r\ncapabilities of Conditional Access. Next, configure per-app access to any TCP-based or UDP-based\r\napplication.\r\nConditional Access. Define Conditional Access policies for SaaS, LOB, and Legacy applications to\r\nenforce security controls such as phishing-resistant MFA, and device compliance. For more information,\r\nread Plan a Microsoft Entra Conditional Access deployment.\r\nAccess Lifecycle. Control the access lifecycle to applications and resources using Microsoft Entra ID\r\nGovernance to implement least privilege access. Give users access to information and resources only if\r\nthey have a genuine need for them to perform their tasks. Integrate SaaS, LOB, and legacy applications\r\nwith Microsoft Entra ID Governance. Microsoft Entra ID Entitlement Management automates access\r\nrequest workflows, access assignments, reviews, and expiration.\r\nApplication and workload servers. You can migrate Applications or resources that require servers to\r\nAzure infrastructure-as-a-service (IaaS). Use Microsoft Entra Domain Services to decouple trust and\r\ndependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual\r\nnetworks used for Microsoft Entra Domain Services don't have a connection to corporate networks. Use\r\ncredential tiering. Application servers are typically considered tier-1 assets. For more information, see\r\nEnterprise access model.\r\nConditional Access policies\r\nUse Microsoft Entra Conditional Access to interpret signals and use them to make authentication decisions. For\r\nmore information, see the Conditional Access deployment plan.\r\nUse Conditional Access to block legacy authentication protocols whenever possible. Additionally, disable\r\nlegacy authentication protocols at the application level by using an application-specific configuration. See\r\nBlock legacy authentication and Legacy authentication protocols. Find specific details for Exchange Online\r\nand SharePoint Online.\r\nImplement the recommended identity and device access configurations. See Common Zero Trust identity\r\nand device access policies.\r\nIf you're using a version of Microsoft Entra ID that doesn't include Conditional Access, use Security\r\ndefaults in Microsoft Entra ID. For more information about Microsoft Entra feature licensing, see the\r\nMicrosoft Entra pricing guide.\r\nMonitor\r\nAfter you configure your environment to protect your Microsoft 365 from on-premises compromises, proactively\r\nmonitor the environment. For more information, see What is Microsoft Entra monitoring.\r\nMonitor the following key scenarios, in addition to any scenarios specific to your organization.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 6 of 8\n\nSuspicious activity. Monitor all Microsoft Entra risk events for suspicious activity. See How To:\r\nInvestigate risk. Microsoft Entra ID Protection natively integrates with Microsoft Defender for Identity.\r\nDefine network named locations to avoid noisy detections on location-based signals. See Using the\r\nlocation condition in a Conditional Access policy.\r\nUser and Entity Behavioral Analytics (UEBA) alerts. Use UEBA to get insights on anomaly detection.\r\nMicrosoft Defender for Cloud Apps provides UEBA in the cloud. See Investigate risky users. You can\r\nintegrate on-premises UEBA from Microsoft Defender for Identity. Microsoft Defender for Cloud Apps\r\nreads signals from Microsoft Entra ID Protection. See Enable entity behavior analytics to detect advanced\r\nthreats.\r\nEmergency access accounts activity. Monitor any access that uses emergency access accounts. See\r\nManage emergency access accounts in Microsoft Entra ID. Create alerts for investigations. This monitoring\r\nmust include the following actions:\r\nSign-ins\r\nCredential management\r\nAny updates on group memberships\r\nApplication assignments\r\nPrivileged role activity. Configure and review security alerts generated by Microsoft Entra Privileged\r\nIdentity Management (PIM). Monitor direct assignment of privileged roles outside PIM by generating\r\nalerts whenever a user is assigned directly.\r\nMicrosoft Entra tenant-wide configurations. Any change to tenant-wide configurations should generate\r\nalerts in the system. Include (but don't limit to) the following changes:\r\nUpdated custom domains\r\nMicrosoft Entra B2B changes to allowlists and blocklists\r\nMicrosoft Entra B2B changes to allowed identity providers, such as SAML identity providers,\r\nthrough direct federation or social sign-ins\r\nConditional Access or risk policy changes\r\nApplication and service principal objects\r\nNew applications or service principals that might require Conditional Access policies\r\nCredentials added to service principals\r\nApplication consent activity\r\nCustom roles\r\nUpdates to the custom role definitions\r\nNewly created custom roles\r\nFor comprehensive guidance on this topic, check Microsoft Entra security operations guide.\r\nLog management\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 7 of 8\n\nDefine a log storage and retention strategy, design, and implementation to facilitate a consistent tool set. For\r\nexample, consider security information and event management (SIEM) systems like Microsoft Sentinel, common\r\nqueries, and investigation and forensics playbooks.\r\nMicrosoft Entra logs. Ingest generated logs and signals by consistently following best practices for\r\nsettings such as diagnostics, log retention, and SIEM ingestion.\r\nMicrosoft Entra ID provides Azure Monitor integration for multiple identity logs. For more information,\r\nsee Microsoft Entra activity logs in Azure Monitor and Investigate risky users with Copilot.\r\nHybrid infrastructure operating system security logs. Archive and carefully monitor all hybrid identity\r\ninfrastructure operating system logs as a tier-0 system because of the surface area implications. Include the\r\nfollowing elements:\r\nPrivate network connectors for Microsoft Entra Private Access and Microsoft Entra Application\r\nProxy.\r\nPassword writeback agents.\r\nPassword Protection Gateway machines.\r\nNetwork policy servers (NPSs) that have the Microsoft Entra multifactor authentication RADIUS\r\nextension.\r\nMicrosoft Entra Connect.\r\nYou must deploy Microsoft Entra Connect Health to monitor identity synchronization.\r\nFor comprehensive guidance on this topic, check Incident response playbooks and Investigate risky users with\r\nCopilot\r\nNext steps\r\nBuild resilience into identity and access management by using Microsoft Entra ID\r\nSecure external access to resources\r\nIntegrate all your apps with Microsoft Entra ID\r\nSource: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks"
	],
	"report_names": [
		"protect-m365-from-on-premises-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434564,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5db57c8f76d6236299de7d8fbec23ce1862f933.pdf",
		"text": "https://archive.orkl.eu/c5db57c8f76d6236299de7d8fbec23ce1862f933.txt",
		"img": "https://archive.orkl.eu/c5db57c8f76d6236299de7d8fbec23ce1862f933.jpg"
	}
}