« Previous 1 2 3
Recovering from a cyberattack in a hybrid environment
Disconnected
Very Old Backups
Of course, it becomes more difficult if weeks – rather than days – have passed between discontinuing synchronization and reconstructing the hybrid identity, specifically because the two environments have developed independently of each other in this time. The challenges are similarly great if the backup instance that you need to fall back to in the local AD is from a relatively long time in the past – in the worst case, before the original activation of synchronization.
If you are confronted with this kind of scenario, just try to keep calm and take as much time as you need for the initial comparison of the information in the two directories. You need to make sure that both the user data and the matching attributes, as well as the group memberships and the license assignments that often go with them, exactly match those in the cloud before you re-enable synchronization. You will benefit from the fact that Entra ID saves the many attributes described above in local objects.
Do avoid taking shortcuts or making any assumptions at this point. Use PowerShell's various capabilities to synchronize as precisely as possible, create the missing objects and references, and update the changes to object metadata that have occurred since the attack on the other directory.
Conclusions
The risk of a cyberattack is part and parcel of most networked IT environments these days. The effect of an attack on a hybrid identity landscape depends, among other things, on how well you are prepared for the various scenarios. If Entra ID is an important part of your hybrid identity, it is imperative that you familiarize yourself with the Graph API and its PowerShell implementation. It is best to run through the scenarios described in this article in a test AD linked to a test tenant.
Infos
- Privileged access strategy: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-strategy#strategic-assumption---cloud-is-a-source-of-security
- Microsoft Graph PowerShell: https://learn.microsoft.com/en-us/powershell/microsoftgraph/?view=graph-powershell-1.0
- "User Hard Matching and Soft Matching in Azure AD Connect" by Sander Berkouwer, March 27, 2020: https://dirteam.com/sander/2020/03/27/explained-user-hard-matching-and-soft-matching-in-azure-ad-connect/
- "Attach a previously sync'ed Azure AD Tenant to a new AD Forest" by Sander Berkouwer, September 17, 2020: https://dirteam.com/sander/2020/09/17/howto-attach-a-previously-synced-azure-ad-tenant-to-a-new-ad-forest/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)