Detecting and Reporting Security Issues in Hybrid AD and Azure AD—Visibility is Key

If your organization is running Office 365 in a completely cloud-based or hybrid AD environment, it’s critical to make sure the proper security protocols are in place in both your on-premises AD and Azure AD. The first step is continuously assessing the hybrid AD to determine who has access to permissions, privileged groups, sensitive business groups, Group Policy Objects (GPO) and data at all times.

 Are you familiar with the four pillars of hybrid AD security? Download the Quest e-book Surviving Common Office 365 Security Pitfalls for
your free IT survival guide.

The next step is implementing a system that can quickly detect security changes that deviate from assessment baselines and also automatically alert administrators to what’s going on. Real-time identification of suspicious activities can minimize the impact of an insider attack or data breach by correlating disparate IT data from numerous systems and devices. Some of the most-common suspicious activities include:

  • User passwords changed by non-owners
  • Direct and indirect (nested group) membership changes on elevated privileged groups
  • Changes to security permissions on the AdminSDHolder object
  • Changes to sensitive Group Policy Object (GPO) settings
  • Mass deletions of accounts
  • Assignment of sensitive AD permissions
  • Multiple failed logons followed by successful logons to domain controllers
  • Logons to domain controllers during non-business hours
  • Mass deletions or modifications of AD objects and attributes
  • Addition of a user to the administrators group, followed by successful logon and removal from the group

But here’s something to consider: Native auditing tools can prevent you from seeing the whole picture. Native AD, Azure AD and Office 365 auditing tools lack governance capabilities and the necessary visibility into your on-premises AD to properly secure your hybrid AD environment and meet compliance regulations. There are many functional issues, including:

  • Difficulty configuring auditing
  • Having to configure one mailbox/object at a time
  • Inability to monitor audit policies if they change or are disabled by other administrators
  • Inability to automatically configure new mailboxes/objects with the desired audit policy
  • Absence of real-time alerting, with only a finite number of alert actions
  • Limited retention time of audited data before it is permanently lost
  • Difficulty interpreting events

Given these blind spots, you should complement native auditing tools with solutions that give you a clear line of site into your on-premises AD and allow you to integrate it with Azure AD. This positions you to more accurately detect and alert security irregularities.

To learn more about securing your hybrid environment—starting with pre-migration—download the complimentary Quest e-book Surviving Common Office 365 Security Pitfalls.

Download E-Book

About the Author
Daniel Gauntner
Dan Gauntner is a Senior Product Marketing Manager where he oversees the positioning and go-to-market strategy for Office 365, Active Directory, Exchange, Lotus Notes, SharePoint and OneDrive for Business...