All news with #azure entra id tag

Blueprint for Building Safe and Secure AI Agents at Scale

🔒 Azure outlines a layered blueprint for building trustworthy, enterprise-grade AI agents. The post emphasizes identity, data protection, built-in controls, continuous evaluation, and monitoring to address risks like data leakage, prompt injection, and agent sprawl. Azure AI Foundry introduces Entra Agent ID, cross-prompt injection classifiers, risk and safety evaluations, and integrations with Microsoft Purview and Defender. Join Microsoft Secure on September 30 to learn about Foundry's newest capabilities.

Scattered Spider Resurfaces, Targets Financial Sector Again

🔍 Cyber threat group Scattered Spider has been linked to a new campaign targeting financial services, according to ReliaQuest. The attackers gained access by socially engineering an executive and abusing Azure AD self-service password reset, then moved laterally via Citrix and VPN to compromise VMware ESXi. They escalated privileges by resetting a Veeam service account, assigning Azure Global Administrator rights, and attempted data extraction from Snowflake and AWS. The activity contradicts the group's retirement claims and suggests regrouping or rebranding.

Azure Kubernetes Service Automatic: Simplified AKS for All

🚀 AKS Automatic is now generally available, delivering a fully managed, opinionated Kubernetes experience with production-ready defaults and automated day-two operations. It removes infrastructure toil—automatic node provisioning, scaling, patching, and repairs—while enabling intelligent autoscaling with HPA, VPA, KEDA and Karpenter. Developers retain the full Kubernetes API and toolchain and gain GPU and AI workload optimizations.

Microsoft Enforces MFA for Azure Portal Sign-ins Globally

🔐 Microsoft has completed a global rollout enforcing multifactor authentication (MFA) for Azure Portal sign-ins across 100% of tenants as of March 2025. The rollout follows an initial enforcement announcement in May 2024 and prior warnings to Entra global admins to enable MFA to avoid access disruptions. Microsoft says this step strengthens account defenses and will be followed by mandatory MFA for Azure CLI, PowerShell, SDKs, and APIs in October 2025. The company cites internal research showing MFA dramatically reduces account takeover risk.

Azure Phase 2: Mandatory MFA for Resource Management

🔒 Microsoft is starting Phase 2 of mandatory multi-factor authentication for Azure resource management operations on October 1, 2025. Enforcement at the Azure Resource Manager layer will be applied gradually via Azure Policy, requiring users to complete MFA before performing management actions. Workload identities (managed identities and service principals) are not affected. Administrators should enable MFA, test policy in audit mode, and ensure Azure CLI 2.76 and Azure PowerShell 14.3 or later are in use for best compatibility.

Azure AD Client Credentials Exposed in Public appsettings

🔒 Resecurity’s HUNTER Team discovered that ClientId and ClientSecret values were inadvertently left in a publicly accessible appsettings.json file, exposing Azure AD credentials. These secrets permit direct authentication against Microsoft’s OAuth 2.0 endpoints and could allow attackers to impersonate trusted applications and access Microsoft 365 data. The exposed credentials could be harvested by automated bots or targeted adversaries. Organizations are advised to remove hardcoded secrets, rotate compromised credentials immediately, restrict public access to configuration files and adopt centralized secrets management such as Azure Key Vault.

Microsoft to Enforce MFA for Azure Resource Management

🔐 Starting October 1, 2025, Microsoft will enforce multi-factor authentication (MFA) for all Azure resource management actions to protect tenants from unauthorized access. The change, part of its Secure Future Initiative, will be rolled out gradually across public cloud tenants and covers Azure CLI, PowerShell, SDKs, REST APIs, IaC tools, the Azure mobile app, and automation that uses user identities. To prevent disruptions Microsoft recommends updating Azure CLI to 2.76+ and Azure PowerShell to 14.3+; global administrators may postpone enforcement until July 2026.

Storm-0501 Deletes Azure Data and Backups After Exfiltration

🔒 Microsoft Threat Intelligence details a campaign by Storm-0501 that exfiltrated data from a large enterprise’s Azure environment, then deleted backups and encrypted remaining resources to block recovery. The actor abused Entra Connect synchronization, elevated to Global Administrator, and used Azure Owner privileges to steal storage keys and transfer blobs via AzCopy. Microsoft recommends enabling blob backups, least privilege, logging, and Azure Backup to mitigate these cloud-native ransomware tactics.

Storm-0501 Exploits Entra ID to Exfiltrate Azure Data

🔐 Microsoft Threat Intelligence reports that the financially motivated actor Storm-0501 has refined cloud-native techniques to rapidly exfiltrate and delete data in hybrid Azure environments. The group leveraged on-premises footholds—using tools such as Evil-WinRM and a DCSync attack—to compromise an Entra Connect server and identify a non-human synced Global Admin account without MFA. With that account the attackers registered a threat actor-owned federated tenant as a backdoor, escalated Azure privileges, and proceeded to mass-extract data and remove resources and backups before extorting victims through compromised Microsoft Teams accounts. Microsoft has updated Entra ID behavior, released Entra Connect 2.5.3.0 to support Modern Authentication, and recommended enabling TPM, enforcing MFA, and other hardening controls.

Storm-0501 Shifts to Cloud-Based Ransomware Tactics

🔒 Microsoft Threat Intelligence reports that financially motivated actor Storm-0501 has shifted from on‑premises endpoint encryption toward cloud‑native ransomware tactics emphasizing rapid data exfiltration, destruction of backups, and extortion. The actor leverages compromised Entra Connect sync accounts, DCSync, and hybrid‑joined devices to escalate to Global Administrator and gain full Azure control. In cloud environments they abuse Azure operations (listing storage keys, AzCopy exfiltration, snapshot and resource deletions) and create malicious federated domains for persistence and impersonation. Microsoft recommends hardening sync configurations, enforcing phishing‑resistant MFA, enabling Defender for Cloud and storage protections, and applying least‑privilege access controls.

Securing and Governing Autonomous AI Agents in Business

🔐 Microsoft outlines practical guidance for securing and governing the emerging class of autonomous agents. Igor Sakhnov explains how agents—now moving from experimentation into deployment—introduce risks such as task drift, Cross Prompt Injection Attacks (XPIA), hallucinations, and data exfiltration. Microsoft recommends starting with a unified agent inventory and layered controls across identity, access, data, posture, threat, network, and compliance. It introduces Entra Agent ID and an agent registry concept to enable auditable, just-in-time identities and improved observability.

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

MURKY PANDA: Trusted-Relationship Cloud Threats and TTPs

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

Agent Factory: Build Your First AI Agent with Tools

🔧 This Microsoft Azure blog post, the second entry in the six-part Agent Factory series, explains how tool ecosystems are defining the next wave of agentic AI. It argues the industry is moving from single-model prompts to extensible platforms that let agents discover and invoke a broad set of capabilities at runtime. The piece highlights the Model Context Protocol (MCP) and Azure AI Foundry for secure, enterprise-grade tool integration, and summarizes five best practices for governance, identity, and observability to achieve scalable, production-ready agents.

Defending Against SCATTERED SPIDER with Falcon SIEM

🔒 Falcon Next-Gen SIEM provides real-time, cross-domain detection to help organizations detect and respond to the identity-centric eCrime group SCATTERED SPIDER. The platform correlates identity, cloud, SaaS, network and email telemetry, offering out-of-the-box rule templates for phishing, MFA fatigue, suspicious SSO events and exfiltration. CrowdStrike recommends comprehensive log ingestion and tuning of these templates to improve detection and response across the full attack lifecycle.

Connect with Security Leaders at Microsoft Ignite 2025

🔒 Microsoft Security invites CISOs, SecOps leads, identity architects, and cloud security engineers to Microsoft Ignite 2025 in San Francisco (Nov 17–21) and online (Nov 18–21) to explore secure AI adoption and modern SecOps. Register with RSVP code ATXTJ77W to access the half-day Microsoft Security Forum (Nov 17), hands-on labs, live demos, and one-on-one meetings with experts. Attendees can join networking events including the Secure the Night party, pursue onsite Microsoft Security certifications, and engage in roundtables focused on threat intelligence, regulatory insights, and protecting data, identities, and infrastructure.

Agent Factory: Enterprise Design Patterns for Agentic AI

🤖 Microsoft introduces the Agent Factory series to share best practices and design patterns for enterprise agentic AI that reasons, acts, and collaborates across workflows. The post outlines five core patterns—tool use, reflection, planning, multi-agent, and ReAct—and links them to real-world outcomes such as reduced proposal time and automated incident delivery. It stresses the need for a unified platform to manage security, identity, observability, and connectors. Azure AI Foundry is presented as a scalable end-to-end solution with flexible model choice, 1,400+ connectors, open protocols, and managed Entra Agent ID and RBAC.

CISA Issues Emergency Directive for Microsoft Exchange

⚠️ CISA issued Emergency Directive 25-02 directing federal civilian agencies to immediately update and secure hybrid Microsoft Exchange environments to address a post-authentication privilege escalation vulnerability. The flaw, tracked as CVE-2025-53786, could allow an actor with administrative access on an Exchange server to escalate privileges and affect identities and administrative access in connected cloud services. CISA says it is not aware of active exploitation but mandates agencies implement vendor mitigation guidance and will monitor and support compliance. All organizations using hybrid Exchange configurations are urged to adopt the recommended mitigations.