Microsoft Entra ID has introduced a robust security mechanism called protected actions, aimed at preventing attackers from permanently deleting user accounts.
By leveraging Conditional Access (CA) policies, organizations can enforce stringent authentication requirements for high-risk operations, such as the hard deletion of soft-deleted accounts.
This feature ensures that only authorized users who meet specific security criteria can execute sensitive actions, adding an essential layer of protection against malicious activity.
Soft-deleted accounts in Entra ID are retained in a recoverable state for 30 days, allowing administrators to restore them if needed.
However, if an account is hard-deleted, it becomes irrecoverable, posing significant risks.
Attackers who gain access to permissions like User.DeleteRestore.All can exploit this capability to cause irreparable damage.
Protected actions mitigate this risk by requiring strong authentication methods, such as phishing-resistant MFA or passwordless authentication, before such actions can be performed.
Implementing Protected Actions to Safeguard Critical Permissions
According to the researchers, to enable protected actions, administrators must configure a Conditional Access policy linked to an authentication context.
This policy enforces specific conditions such as requiring compliant devices or advanced MFA methods before granting access to permissions like microsoft.directory/deletedItems/delete, which allows the permanent removal of directory objects.
The process involves associating the authentication context with selected permissions through the Entra admin center.
For instance, when an attacker attempts to hard-delete a user account without meeting the CA policy’s requirements, the action is blocked.
This applies not only to manual deletions but also to API-based operations using tools like Microsoft Graph PowerShell.
Testing has demonstrated that even privileged accounts (e.g., Global Administrators) are unable to bypass these restrictions if they fail to satisfy the enforced conditions.
Strengthening Organizational Security
Protected actions provide a critical safeguard against unauthorized deletions and other high-impact operations in Entra ID.
By requiring stringent authentication measures, organizations can significantly reduce the risk of malicious activity while maintaining operational flexibility.
However, it is essential to follow best practices when implementing this feature:
- Emergency Account: Always maintain an emergency account excluded from CA policies to prevent accidental lockouts.
- Policy Testing: Regularly test protected actions to ensure they function as intended and do not disrupt legitimate workflows.
- Layered Security: Combine protected actions with other security measures, such as Privileged Identity Management (PIM), for comprehensive protection.
While protected actions cannot prevent attackers with full tenant control from causing harm, they serve as a robust deterrent and add friction to potential exploits.
As organizations increasingly face sophisticated threats, adopting features like protected actions is a proactive step toward safeguarding critical resources and ensuring data integrity within Microsoft Entra ID environments.
.webp?w=1200&resize=1200,0&ssl=1 "Fault Injection Attacks")
