MT.1081 - Hybrid users should not be assigned Entra ID role assignments
Overview
Microsoft strongly recommends avoiding the use of synchronized identities to manage Microsoft 365 or Microsoft Entra environments for protecting against on-premises attacks.
How to fix
Create dedicated privileged users to assign and use Entra ID roles, and remove the previous role assignments for the on-premises accounts.
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1081 |
| Severity | Medium |
| Suite | Maester |
| Category | Privileged |
| PowerShell test | Test-MtXspmHybridUsersWithAssignedEntraIdRoles |
| Tags | Entra, EntraOps, Graph, LongRunning, MT.1081, Privileged, XSPM |
Source
- Pester test:
tests/XSPM/Test-XspmPrivilegedIdentities.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmHybridUsersWithAssignedEntraIdRoles.ps1