AD Connect and MDR for Microsoft 365
planned
M
Michael Abt
So its great that Huntress can disable a user but the issue is that when it sync's back to the on prem server if that user is not locked will re-enable the users account and remove the block. This is an issue because we want the account to be locked until we can look into it but if its not locked on the server the user just has to wait until the sync and then they are re-enabled.
Rich Mozeleski
Merged in a post:
ADSync configuration updates
Rich Mozeleski
~40% of identities we manage use ADSync. When we disable these identities, they are automatically re-enabled the next time AD syncs with Entra. This work fixes that.
Rich Mozeleski
Merged in a post:
Disabling AD Sync users
D
Derrick Bennett
It would be really awesome if, when the ITDR recognizes a critical incident (and would normally disable a cloud only user) if it was able to identify if a domain controller exists in the same MDR tenant and pass through a powershell command to disable that user, and run a delta sync.
J
John Hardwick
I'd be curious to know what the plan is here - using an agent on a DC to at the same org to disable the sync'd account?
Rich Mozeleski
planned
This will be a Q1 deliverable
P
Peet McKinney
Rich Mozeleski superb.
T
Toby Stephenson
Agreed. I would also add the ability to record the success/failure of the “containment” activity, with the SOC following up as necessary.
P
Peet McKinney
Just coming back to this critical need to note that other MDR's seem handle this with an agent on the DC's, considering the Huntress agent is on most of our DC's disabling an account there is pretty straight forward.
shrug
¯\_(ツ)_/¯. Hope this moves to "in progress" soon.S
Scott Brandt
Using the Huntress agent on the domain controller associated with that customer organization would be a great way to handle this and would not have M365 licensing implications if the customer tenant isn't licensed for conditional access.
Please at least go back to locking the user account in M365 initially, and at least even revoking all M365 session/access/refresh tokens, even though the user will eventually be re-activated by the AD Connect agent after that point. Something is better than nothing while we wait for a better solution.
D
Daniel Cronin
This is a big problem for us and like others have said the impact for hybrid users outside our business hrs is massive
FortifyIT
just let it read if the MSP did the remediation steps, if yes, then it can be enabled. If no remediation has been approved, just keep disabling.
J
Joel DeTeves
IMHO the simplest way for Huntress Team to tackle this problem is to utilize the Huntress Agent installed on the domain controller. If an MDR event is triggered that requires isolation, the MDR component would talk to the Huntress Agent installed on the DC and disable the account from there. Option B as others have mentioned is to find some other way to block off that user's access from the 365 side, e.g. a "block all" compromised users Conditional Access Policy.
Load More
→