Investigating and Recovering from a Security Breach in Your Hybrid AD and Azure AD

Most organizations that migrate to Office 365 have done so in a hybrid environment—on-premises AD and Azure AD. Perhaps the most challenging aspect is managing and securing the entire surface area. Many organizations begin the process by creating systems that allow them to:

Are you familiar with the four pillars of securing a cloud or hybrid AD environment? Download the Quest e-book Surviving Common Office 365 Security Pitfalls for your free IT survival guide.

The final pillar to securing a cloud or hybrid AD environment is investigating security incidents and quickly recovering as quickly as possible to minimize the damage.


Once a security irregularity occurs, the first step is to investigate the access lifecycle of users and groups. This requires 360-degree forensics and full-text search to correlate events, access activities and security configurations across multiple indexed repositories to reveal the most-likely paths to the incident. This includes:

  • Any activity in AD, GPOs, files and on computers by a given user during a given period
  • Any activity in OUs, groups, files, computers, users and attributes containing a given word
  • Security configuration and changes for a given user, including status of the user account in AD, department, last logon time, account expiration, accessible files, group memberships
  • Membership information for any given group, including recent changes to membership


The next step is taking the necessary steps to recover from unauthorized changes to on-premises AD, Azure AD and Office 365. Every contingency plan must cover the basics, with as much automation as is practical:

  • Daily backup of AD database information
  • Tight delegation of the rights to back up and restore Active Directory objects
  • Encryption of AD backups on disk (encryption at rest) to prevent exposure of NTDS.dit database
  • Daily backup and automated recovery of the Active Directory schema forest metadata
  • Establishment of a recovery time objective for a full AD recovery
  • Documentation and testing of partial and full-disaster recovery plans at least once a year
  • Cross-training for IT staff on activating and executing the AD recovery plan

By employing the appropriate investigation and recovery strategies—along with assessment, detection/reporting and remediation/mitigation best practices—you’ll be in position to secure your cloud or hybrid AD environment and keep it that way moving forward.

To learn more about maintaining security within your cloud or hybrid AD environment, download the complimentary Quest e-book Surviving Common Office 365 Security Pitfalls.

Download E-Book