A few years ago, I came across a blog post titled Protecting Microsoft 365 from on-premises attacks, which resonated deeply with me. So much so that I saved it among my favorites, and today, it is even part of official Microsoft Learn documentation. This blog challenged my perspective on hybrid security, highlighting various security risks in hybrid environments, including the potential dangers of on-premises administrator accounts having administrative control over Microsoft 365 environments. This realization led me to advocate for better security postures in organizations.

Now, after revisiting that post, I conducted a personal assessment to see how well these principles have been adopted. The results? While we've made progress by limiting cloud access for synchronized accounts, enforcing Conditional Access policies for corporate-compliant devices, and even adopting phishing-resistant MFA for admins, significant security gaps remain. Many organizations still struggle with fundamental security hygiene, even when robust security measures don’t necessarily require high-end licensing like Microsoft 365 E5.

Reflecting on that original blog post title, Protecting Microsoft 365 from on-premises attacks, I now ask: Is this the only risk we should be concerned about? Given today’s hybrid environments, where more organizations integrate on-premises services with cloud infrastructure, the reverse concern protecting on-premises infrastructure from Microsoft 365 attacks is just as pressing.

Microsoft Intune and Device Management Risks

Microsoft Intune adoption is growing, and more organizations are using it to manage privileged workstations. The key question is: Who manages these high-privilege devices? Observations vary from internal service desks to external partners many of whom authenticate using only basic MFA, which we know can be bypassed. Worse still, there are cases where MFA isn’t enforced due to misconfigurations or oversight. Although Microsoft has committed to requiring MFA for Intune portal access, these security changes are rolling out slower than expected.

Planning for mandatory multifactor authentication for Azure and other admin portals

From an attacker’s perspective, Intune provides a powerful method for deploying malware to compromise an organization’s infrastructure.

Defender for Endpoint: A Potential Backdoor?

Defender for Endpoint’s Live Response functionality enables remote command execution. If an attacker gains admin access, they can leverage this tool to execute malicious scripts, even placing a device in troubleshooting mode to disable Defender components. Now, imagine if this compromised device is a domain controller. The consequences would be catastrophic.

Mitigating the Risks: Revisiting Zero Trust Principles

The foundational principles from the Protecting Microsoft 365 from on-premises attacks blog still hold today. The key to defense is adopting a Zero Trust mindset. This means incorporating more signals, enforcing stricter controls, and maintaining proactive monitoring.

Enforce Phishing-Resistant MFA for Administrative Accounts

Given the rise of AiTM (Adversary-in-the-Middle) attacks, conventional MFA is no longer sufficient. We must require phishing-resistant MFA methods such as:

• Certificate-Based Authentication (CBA)

• Windows Hello for Business

• Passkeys

Enable passkeys in Authenticator for Microsoft Entra ID

However, simply registering a phishing-resistant method is not enough. Conditional Access policies must enforce these methods via Authentication Strengths, ensuring weaker MFA options aren’t available in case of a compromise.

Secure Administrative Access with Privileged Access Workstations (PAWs)

Organizations should mandate that administrative roles only authenticate from Privileged Access Workstations (PAWs). Traditionally used for on-premises environments, PAW principles can and should be extended to Microsoft 365. Some implementation approaches may include:

• Dedicated physical or Azure Virtual Desktop (AVD) based PAWs for cloud-centric admin tasks.

• Conditional Access enforcement ensuring that privileged accounts can only sign in from approved, compliant PAW devices.

Privileged Identity Management (PIM): Beyond Just Approval Workflows

While many view Privileged Identity Management (PIM) as merely requiring approval workflows, its core value lies in enforcing Just-In-Time (JIT) access.

When admins request access, additional security checks are conducted:

• They must prove their identity again (e.g., through phishing-resistant MFA).

• They must use a compliant corporate device.

• They receive email notifications when their role is activated and potentially alerting them to unauthorized access attempts.

Final Thoughts

Security isn’t just about implementing advanced tools. it’s about ensuring fundamental hygiene. While we have made progress, organizations continue to struggle with basic security principles that don’t necessarily require high-end licensing. By enforcing Zero Trust, requiring phishing-resistant MFA, securing administrative access through PAWs, and leveraging Just-In-Time access with PIM, we can significantly reduce the attack surface in both cloud and hybrid environments. However, these are just a few examples of necessary security measures, and organizations must continuously evaluate and implement additional controls to stay ahead of evolving threats.

Ultimately, the real question is not only how to protect Microsoft 365 from on-premises attacks, but also how to safeguard on-premises infrastructure from Microsoft 365 compromises.