Microsoft Entra ID has introduced a robust mechanism called protected actions to mitigate the risks associated with unauthorized hard deletions of user accounts.
This feature, which integrates with Conditional Access policies, adds an additional layer of security to critical administrative tasks by requiring users to meet stringent authentication requirements before performing high-impact actions.
Protected actions are particularly relevant in scenarios where attackers exploit permissions like User.DeleteRestore.All to delete and permanently remove user accounts from the recycle bin.
Typically, soft-deleted accounts remain recoverable for 30 days, but once hard-deleted, they become irretrievable.
By linking such sensitive operations to Conditional Access policies, organizations can enforce advanced authentication methods, such as phishing-resistant Multi-Factor Authentication (MFA) or passwordless authentication using FIDO2 keys or passkeys.
Implementing and Testing Protected Actions
To enable protected actions, administrators must first create a Conditional Access policy tied to an authentication context.
For instance, a policy could mandate the use of compliant devices or strong MFA before allowing a user to perform a protected action.
The policy is then linked to specific permissions, such as microsoft.directory/deletedItems/delete through the Entra admin center under the “Roles & Admins” section.
According to the research, testing is crucial to ensuring the effectiveness of these policies.
For example, an account with administrative privileges but configured with weaker MFA methods (e.g., SMS-based authentication) will fail to execute protected actions if it does not meet the policy’s requirements.
This restriction also applies when using Microsoft Graph APIs or PowerShell commands like Remove-MgDirectoryDeletedItem, ensuring that all access points are secured.
Strengthening Tenant Security
Protected actions are a vital component of Entra ID’s broader security framework, which emphasizes the Zero Trust Architecture and the Principle of Least Privilege.
By requiring stringent conditions for high-risk operations, organizations can significantly reduce their attack surface.
However, it is essential to complement this feature with other best practices, such as:
- Deploying Privileged Access Workstations (PAWs) to isolate administrative tasks.
- Maintaining emergency accounts excluded from Conditional Access policies to prevent accidental lockouts.
- Regularly auditing permissions and monitoring account lifecycle activities for anomalies.
While protected actions cannot thwart attackers who gain full control over a tenant, they serve as a critical deterrent by complicating unauthorized attempts to execute destructive actions.
This layered approach ensures that even if some defenses are breached, attackers face additional hurdles in compromising sensitive systems.
By adopting these measures, organizations can safeguard their Entra ID environments against identity-based threats and maintain operational integrity in the face of evolving cyber risks.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free