Friday, May 9, 2025
Homecyber securityPreventing Attackers from Permanently Deleting Entra ID Accounts with Protected Actions

Preventing Attackers from Permanently Deleting Entra ID Accounts with Protected Actions

Published on

SIEM as a Service

Follow Us on Google News

Microsoft Entra ID has introduced a robust mechanism called protected actions to mitigate the risks associated with unauthorized hard deletions of user accounts.

This feature, which integrates with Conditional Access policies, adds an additional layer of security to critical administrative tasks by requiring users to meet stringent authentication requirements before performing high-impact actions.

Protected actions are particularly relevant in scenarios where attackers exploit permissions like User.DeleteRestore.All to delete and permanently remove user accounts from the recycle bin.

- Advertisement - Google News

Typically, soft-deleted accounts remain recoverable for 30 days, but once hard-deleted, they become irretrievable.

By linking such sensitive operations to Conditional Access policies, organizations can enforce advanced authentication methods, such as phishing-resistant Multi-Factor Authentication (MFA) or passwordless authentication using FIDO2 keys or passkeys.

Implementing and Testing Protected Actions

To enable protected actions, administrators must first create a Conditional Access policy tied to an authentication context.

 Entra ID Accounts
Conditional access policy to enable protected actions

For instance, a policy could mandate the use of compliant devices or strong MFA before allowing a user to perform a protected action.

The policy is then linked to specific permissions, such as microsoft.directory/deletedItems/delete through the Entra admin center under the “Roles & Admins” section.

According to the research, testing is crucial to ensuring the effectiveness of these policies.

For example, an account with administrative privileges but configured with weaker MFA methods (e.g., SMS-based authentication) will fail to execute protected actions if it does not meet the policy’s requirements.

This restriction also applies when using Microsoft Graph APIs or PowerShell commands like Remove-MgDirectoryDeletedItem, ensuring that all access points are secured.

Strengthening Tenant Security

Protected actions are a vital component of Entra ID’s broader security framework, which emphasizes the Zero Trust Architecture and the Principle of Least Privilege.

By requiring stringent conditions for high-risk operations, organizations can significantly reduce their attack surface.

However, it is essential to complement this feature with other best practices, such as:

  • Deploying Privileged Access Workstations (PAWs) to isolate administrative tasks.
  • Maintaining emergency accounts excluded from Conditional Access policies to prevent accidental lockouts.
  • Regularly auditing permissions and monitoring account lifecycle activities for anomalies.

While protected actions cannot thwart attackers who gain full control over a tenant, they serve as a critical deterrent by complicating unauthorized attempts to execute destructive actions.

This layered approach ensures that even if some defenses are breached, attackers face additional hurdles in compromising sensitive systems.

By adopting these measures, organizations can safeguard their Entra ID environments against identity-based threats and maintain operational integrity in the face of evolving cyber risks.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...