September 2024 Dutch MS Entra Community Meetup

17.00 - 18.00 Inloop & Eten

18.00 - 18.15 Welkom met 'What's new in MS Entra' - In deze 15 minuten nemen Jan, Stefan, Michel en Pim je mee in alle nieuwe functionaliteiten van de afgelopen 3 maanden op het gebied van Microsoft Entra.

18.15 - 19.15 Jorge de Almeida Pinto - So You Travelled Back In Time. Reconnecting Mismatching Core Identity Stores!
With cybercrime on the rise, ransomware attacks that target Active Directory (AD) - the primary identity store for most businesses worldwide - are as common as a cup of coffee. If, like many organizations today, you have a hybrid identity environment that combines AD with Entra ID (formerly known as Azure AD), are you prepared for the worst-case scenario? If your AD was burned to the ground, you hopefully have (at a minimum) backups to perform a forest recovery. But what then? After assessing the security of your AD and mitigating any (critical) risks (you plan to do this right?), do you simply reconnect and allow synchronization to occur between AD and Entra ID, or do you perform a GAP analysis first? Knowing which precautionary measures to take to minimize damage (i.e., impact of user experience and data loss) within Entra ID is of utmost importance!

In this session, we will shortly discuss what the problem is, explain how to perform a GAP analysis and also how to close any disclosed GAPs before reconnecting AD and Entra ID and enabling synchronization.
The remainder of the session will focus on showing the process how this could be done. The attendees will be guided through the complete process.

In summary, THROUGH A DEMO, attendees will see and learn:
- The next steps to take after a forest recovery
- Which backup to choose and why
- The steps to perform a gap analysis
- The steps to remediate impact
- How to use Entra Connect Sync or Entra Cloud Sync in a scenario like this.

19.15 - 19.30 Break

19.30 - 20.30 Eric Woodruff - UnOAuthorized: A discovered path to privilege elevation to Global Administrator.
For customers of Microsoft 365 and Azure, obtaining the role of Global Administrator (GA) is every attacker's dream – it is the Domain Administrator of the cloud. This makes Global Administrator every organization's nightmare of being owned by a threat group or hacker. Luckily, well-defined role-based access control and a strict application consent model can severely limit who gets their fingers on Global Administrator – or does it?

This talk explores a novel discovery that resulted in privilege elevation to Global Administrator in Entra ID, found in a place and through a way least expected. Part conversation about the research background, part discussion of the foundational components involved, this talk will walk step-by-step through the path to privilege elevation and obtaining Global Administrator. While Microsoft has resolved the underlying vulnerability, we will cover the markers organizations can look for to determine if they were targeted by this abuse.

After exploring the discovery we will look at ways in which organizations must protect highly privileged service principals integrated into their Entra ID, to ensure they don't unknowingly create similar paths of privilege elevation.

20.30 - 21.15 Afsluiting met een drankje