Lessons from "How Hackers Persist & Privesc in Microsoft 365"

Introduction

The YouTube video "How Hackers Persist & Privesc in Microsoft 365" highlights the various techniques attackers use to establish persistence and escalate privileges in Microsoft 365 environments.

These tactics make it clear that securing Entra ID (formerly Azure AD) is not just about detection and response. It’s also about resilience and recovery. This is why backing up Entra ID is a critical part of any cybersecurity strategy.

#nashtag (from Jon Nash)   "...Around the 17-minute mark, he demonstrates dynamic groups containing "admin" in the name. This led to the elevation, as the external user was invited with "admin" in their UPN." 

Attackers Target Identity Persistence

One of the primary takeaways from the video is that once attackers gain access to a Microsoft 365 environment, they aim to establish long-term persistence by manipulating Entra ID configurations. This includes:

Without a reliable Entra ID backup, detecting and reversing these changes becomes extremely difficult, leaving organizations vulnerable to long-term exploitation.

Privilege Escalation Can Lead to Total Compromise

The video discusses how attackers escalate privileges by exploiting misconfigurations, weak identity policies, and abused token permissions. If an attacker gains Global Admin access, they can alter security controls, disable logging, or lock out legitimate users. Having a backup of Entra ID allows for rapid rollback to a secure state, mitigating the damage.

Entra ID Is Not Backed Up Natively

Microsoft 365 does not offer a built-in backup solution for Entra ID settings, roles, and policies. If an attacker modifies or deletes key identity configurations, administrators have limited recovery options. Implementing a third-party backup solution for Entra ID ensures that:

Incident Response Requires a Known Good State

When responding to an identity-based attack, security teams must determine what has changed in Entra ID. Having historical backups provides a reference point, making it easier to:

Ransomware & Identity Destruction Attacks

Attackers are increasingly targeting Entra ID as part of ransomware attacks. By deleting or corrupting identity structures, they can:

Backing up Entra ID provides an essential safety net, ensuring that even in a worst-case scenario, organizations can regain access to their identities without relying on Microsoft’s limited recovery options.

What is GraphRunner?

GraphRunner is a post-exploitation toolset by Black Hills Information Security for interacting with the Microsoft Graph API during red team engagements. It enables email and file extraction, Teams data retrieval, mailbox discovery, group manipulation, policy enumeration, and OAuth abuse in Microsoft 365 environments.

Key components:

It’s cross-platform, self-contained, and ideal for post-compromise persistence and data extraction. 

Final Thoughts

The persistence and privilege escalation tactics highlighted in the video reinforce the need for a proactive identity protection strategy. Security is not just about preventing breaches. It’s also about being able to recover quickly when a breach occurs

Backing up Entra ID is a fundamental step in ensuring cyber resilience, allowing organizations to mitigate the impact of identity attacks and restore trust in their Microsoft 365 environments.


NOTE: As of January 27, 2025, Microsoft has implemented a policy affecting unlicensed OneDrive user accounts. Any OneDrive accounts that remain unlicensed for more than 93 days will become inaccessible to both administrators and end users. These accounts will be automatically archived, remaining visible through administrative tools but inaccessible until appropriate actions are taken. This change aims to enhance security, compliance, and storage management within organizations. Notably, education tenants are exempt from this policy.