Remediating and Mitigating Privileged Access Issues in Your Hybrid AD and Azure AD

The challenges associated with securing data in Office 365, whether completely cloud based or a hybrid AD iteration, are numerous, and addressing them requires a solid plan to ensure your risk of a data breach or accidental exposure is minimized.

That plan begins with continually assessing permissions to ensure data is only available to those who should have access. It also requires implementation of a system that enables you to detect security abnormalities as quickly as possible.

Maintaining security in a cloud or hybrid AD environment is no easy task. Download the Quest e-book Surviving Common Office 365 Security Pitfalls for your free IT survival guide.

The third component of properly securing your hybrid environment is two-pronged:

  • Remediation—Enabling administrators to amend unauthorized access and security changes to stick to the assessment baselines.
  • Mitigation—Preventing unauthorized access from occurring again


Given the myriad moving parts within an organization—employee turnover, promotions, changing access privileges—it’s impossible to manually keep permissions up-to-date. To create an environment that maintains consistent, accurate access permissions across your on-premises AD and Azure AD, it’s important to automate as many processes as possible, such as:

  • Reverting changes to unauthorized groups based on whitelists of users authorized to make membership changes
  • Reverting mass changes or deletions to AD objects such as group memberships, users and attributes in the on-premises AD automatically
  • Automating workflow to detect when user accounts are inactive
  • Moving inactive accounts to a disabled user container and automatically deleting them if not used within three days
  • Disabling both the initiating account and the created account for accounts created by users not on the whitelist


Once remediation processes have been automated, it’s important to prevent unauthorized access from recurring. The principle of “least privilege” is an access model that further restricts the permission typically available for AD tasks and GPO permissions, mitigating the risk of recurrence. The model includes:

  • Externalizing AD permissions and controlling them in a proxy model to restrict not only who can do what in your on-premises AD, but also which objects given users can even see
  • Enforcing a real-time whitelisting permission model across AD objects and GPOs to ensure that only service accounts in a least-privileged access proxy model may make changes to sensitive objects
  • Using temporal group memberships coupled with approval workflows to mitigate risk arising from permanent memberships in sensitive and privileged groups
  • Employing password vaulting to protect the powerful service accounts that control the least-privileged-access proxy model

Once remediation and mitigation processes have been established, you’ll greatly reduce access mistakes and lapses as well as avoid the risk of making the same mistake twice.

To learn more about maintaining security within your cloud or hybrid AD environment, download the complimentary Quest e-book Surviving Common Office 365 Security Pitfalls.

Download E-Book