Recovering from a cyberattack in a hybrid environment

Disconnected

Very Old Backups

Of course, it becomes more difficult if weeks – rather than days – have passed between discontinuing synchronization and reconstructing the hybrid identity, specifically because the two environments have developed independently of each other in this time. The challenges are similarly great if the backup instance that you need to fall back to in the local AD is from a relatively long time in the past – in the worst case, before the original activation of synchronization.

If you are confronted with this kind of scenario, just try to keep calm and take as much time as you need for the initial comparison of the information in the two directories. You need to make sure that both the user data and the matching attributes, as well as the group memberships and the license assignments that often go with them, exactly match those in the cloud before you re-enable synchronization. You will benefit from the fact that Entra ID saves the many attributes described above in local objects.

Do avoid taking shortcuts or making any assumptions at this point. Use PowerShell's various capabilities to synchronize as precisely as possible, create the missing objects and references, and update the changes to object metadata that have occurred since the attack on the other directory.

Conclusions

The risk of a cyberattack is part and parcel of most networked IT environments these days. The effect of an attack on a hybrid identity landscape depends, among other things, on how well you are prepared for the various scenarios. If Entra ID is an important part of your hybrid identity, it is imperative that you familiarize yourself with the Graph API and its PowerShell implementation. It is best to run through the scenarios described in this article in a test AD linked to a test tenant.

Infos

Privileged access strategy: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-strategy#strategic-assumption---cloud-is-a-source-of-security
Microsoft Graph PowerShell: https://learn.microsoft.com/en-us/powershell/microsoftgraph/?view=graph-powershell-1.0
"User Hard Matching and Soft Matching in Azure AD Connect" by Sander Berkouwer, March 27, 2020: https://dirteam.com/sander/2020/03/27/explained-user-hard-matching-and-soft-matching-in-azure-ad-connect/
"Attach a previously sync'ed Azure AD Tenant to a new AD Forest" by Sander Berkouwer, September 17, 2020: https://dirteam.com/sander/2020/09/17/howto-attach-a-previously-synced-azure-ad-tenant-to-a-new-ad-forest/

The Author

Evgenij Smirnov has been working with computers since the age of 5 and delivering IT solutions for almost 30 years. His Active Directory and Exchange background naturally led to PowerShell, of which he's been an avid user and proponent since its first release. Evgenij is an active community lead at home in Berlin, a leading contributor to German online communities, and an experienced user group and conference speaker. He is a Microsoft Cloud and Datacenter Management MVP since 2020.

« Previous 1 2 3