Lessons from "How Hackers Persist & Privesc in Microsoft 365"

Introduction

The YouTube video "How Hackers Persist & Privesc in Microsoft 365" highlights the various techniques attackers use to establish persistence and escalate privileges in Microsoft 365 environments.

These tactics make it clear that securing Entra ID (formerly Azure AD) is not just about detection and response. It’s also about resilience and recovery. This is why backing up Entra ID is a critical part of any cybersecurity strategy.

• Why Entra ID Protection Matters 

• Entra ID Risks and How Backup & Recovery Mitigate Them 

• The Top 10 Identity Threats and the Critical Role of Entra ID Backups 

• Veeam: 5 Reasons Why You Should Be Backing Up Microsoft Entra ID

Attackers Target Identity Persistence

One of the primary takeaways from the video is that once attackers gain access to a Microsoft 365 environment, they aim to establish long-term persistence by manipulating Entra ID configurations. This includes:

• Adding rogue admin accounts

• Modifying conditional access policies

• Injecting malicious service principals and OAuth permissions

Without a reliable Entra ID backup, detecting and reversing these changes becomes extremely difficult, leaving organizations vulnerable to long-term exploitation.

Privilege Escalation Can Lead to Total Compromise

The video discusses how attackers escalate privileges by exploiting misconfigurations, weak identity policies, and abused token permissions. If an attacker gains Global Admin access, they can alter security controls, disable logging, or lock out legitimate users. Having a backup of Entra ID allows for rapid rollback to a secure state, mitigating the damage.

Entra ID Is Not Backed Up Natively

Microsoft 365 does not offer a built-in backup solution for Entra ID settings, roles, and policies. If an attacker modifies or deletes key identity configurations, administrators have limited recovery options. Implementing a third-party backup solution for Entra ID ensures that:

• Critical configurations, such as security groups, roles, and policies, can be restored.

• Organizations can quickly revert unauthorized changes.

• Business continuity is maintained even after an identity-related breach.

Incident Response Requires a Known Good State

When responding to an identity-based attack, security teams must determine what has changed in Entra ID. Having historical backups provides a reference point, making it easier to:

• Compare pre-attack and post-attack configurations.

• Restore compromised settings without relying solely on logs (which attackers can manipulate).

• Reduce downtime and administrative overhead.

Ransomware & Identity Destruction Attacks

Attackers are increasingly targeting Entra ID as part of ransomware attacks. By deleting or corrupting identity structures, they can:

• Disrupt access to critical business applications.

• Lock out administrators from recovery options.

• Force organizations into paying ransoms to regain control.

• "Welcome to this community driven project to list all of Microsoft’s portals in one place": https://msportals.io/

Backing up Entra ID provides an essential safety net, ensuring that even in a worst-case scenario, organizations can regain access to their identities without relying on Microsoft’s limited recovery options.

What is GraphRunner?

GraphRunner is a post-exploitation toolset by Black Hills Information Security for interacting with the Microsoft Graph API during red team engagements. It enables email and file extraction, Teams data retrieval, mailbox discovery, group manipulation, policy enumeration, and OAuth abuse in Microsoft 365 environments.

Key components:

• GraphRunner.ps1 – PowerShell script for reconnaissance and persistence.

• GraphRunnerGUI.html – Web interface for interacting with compromised accounts.

• PHPRedirector – OAuth authorization capture for token hijacking.

It’s cross-platform, self-contained, and ideal for post-compromise persistence and data extraction. 

• More details from Black Hills: GraphRunner Blog

Final Thoughts

The persistence and privilege escalation tactics highlighted in the video reinforce the need for a proactive identity protection strategy. Security is not just about preventing breaches. It’s also about being able to recover quickly when a breach occurs. 

Backing up Entra ID is a fundamental step in ensuring cyber resilience, allowing organizations to mitigate the impact of identity attacks and restore trust in their Microsoft 365 environments.

• Why Entra ID Protection Matters 

• Entra ID Risks and How Backup & Recovery Mitigate Them 

• The Top 10 Identity Threats and the Critical Role of Entra ID Backups

• Botnet Hits Microsoft 365: The Need for Backup & Recovery 

• Veeam: Why Backing Up Conditional Access Policies in Microsoft Entra ID Matters

NOTE: CVE-2025-29810 targets Windows Active Directory (on-prem). If exploited, an attacker could escalate privileges and potentially compromise the entire AD forest. Entra ID (formerly Azure AD) is cloud-based, but many organizations use hybrid identity setups with Azure AD Connect to synchronize identities between on-prem AD and Entra ID. If an attacker compromises your on-prem AD, and you're syncing users via Azure AD Connect with password hash sync, pass-through authentication, they can potentially take control of synced accounts in Entra ID, manipulate sync settings or user attributes, and gain lateral movement into cloud services like Microsoft 365 or Azure. BOTTOM LINE: Make sure you're backing up your Entra ID environment with Veeam to ensure recoverability when identity becomes your new attack surface.