Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The ability to rapidly detect, respond to, and remediate security threats is critical in today's evolving threat landscape. As one of the pillars of the Secure Future Initiative, accelerating response and remediation encourages organizations to minimize the time between threat detection and containment.
This pillar emphasizes automated, risk-based responses that reduce manual intervention and help prevent security incidents from escalating. The following Microsoft Entra Zero Trust assessment checks ensure your organization has the necessary controls in place to quickly identify and mitigate high-risk scenarios, protecting both user identities and workload identities through proactive security policies.
Zero Trust security recommendations
Workload identities based on risk policies are configured
Set up risk-based Conditional Access policies for workload identities based on risk policy in Microsoft Entra ID to make sure only trusted and verified workloads use sensitive resources. Without these policies, threat actors can compromise workload identities with minimal detection and perform further attacks. Without conditional controls to detect anomalous activity and other risks, there's no check against malicious operations like token forgery, access to sensitive resources, and disruption of workloads. The lack of automated containment mechanisms increases dwell time and affects the confidentiality, integrity, and availability of critical services.
Restrict access to high risk users
Assume high risk users are compromised by threat actors. Without investigation and remediation, threat actors can execute scripts, deploy malicious applications, or manipulate API calls to establish persistence, based on the potentially compromised user's permissions. Threat actors can then exploit misconfigurations or abuse OAuth tokens to move laterally across workloads like documents, SaaS applications, or Azure resources. Threat actors can gain access to sensitive files, customer records, or proprietary code and exfiltrate it to external repositories while maintaining stealth through legitimate cloud services. Finally, threat actors might disrupt operations by modifying configurations, encrypting data for ransom, or using the stolen information for further attacks, resulting in financial, reputational, and regulatory consequences.
Organizations using passwords can rely on password reset to automatically remediate risky users.
Organizations using passwordless credentials already mitigate most risk events that accrue to user risk levels, thus the volume of risky users should be considerably lower. Risky users in an organization that uses passwordless credentials must be blocked from access until the user risk is investigated and remediated.