Merge pull request #11720 from shlipsey3/zt-checks-030426

JamesJBarnett · web-flow · commit 51f5ca3c7b16 · 2026-03-25T16:34:30.000-07:00
zt-checks-030436
diff --git a/docs/fundamentals/configure-security.md b/docs/fundamentals/configure-security.md
@@ -61,7 +61,9 @@ Reduce credential-related risk by implementing modern identity standards.
 | [Use cloud authentication](zero-trust-protect-identities.md#use-cloud-authentication) | Microsoft Entra ID P1 |
 | [All users are required to register for MFA](zero-trust-protect-identities.md#all-users-are-required-to-register-for-mfa) | Microsoft Entra ID P2 |
 | [Users have strong authentication methods configured](zero-trust-protect-identities.md#users-have-strong-authentication-methods-configured) | Microsoft Entra ID P1 |
+| [Reduce the user-visible password surface area](zero-trust-protect-identities.md#reduce-the-user-visible-password-surface-area) | Microsoft Entra ID P1 |
 | [User sign-in activity uses token protection](zero-trust-protect-identities.md#user-sign-in-activity-uses-token-protection) | Microsoft Entra ID P1 |
+| [Token protection policies are configured](zero-trust-protect-identities.md#token-protection-policies-are-configured) | Microsoft Entra ID P1 |
 | [All user sign-in activity uses phishing-resistant authentication methods](zero-trust-protect-identities.md#all-user-sign-in-activity-uses-phishing-resistant-authentication-methods) | Microsoft Entra ID P1 |
 | [All sign-in activity comes from managed devices](zero-trust-protect-identities.md#all-sign-in-activity-comes-from-managed-devices) | Microsoft Entra ID P1 |
 | [Security key authentication method enabled](zero-trust-protect-identities.md#security-key-authentication-method-enabled) | None (included with Microsoft Entra ID) |
@@ -75,6 +77,7 @@ Reduce credential-related risk by implementing modern identity standards.
 | [Require multifactor authentication for device join and device registration using user action](zero-trust-protect-identities.md#require-multifactor-authentication-for-device-join-and-device-registration-using-user-action) | Microsoft Entra ID P1 |
 | [Local Admin Password Solution is deployed](zero-trust-protect-identities.md#local-admin-password-solution-is-deployed) | Microsoft Entra ID P1 |
 | [Entra Connect Sync is configured with Service Principal Credentials](zero-trust-protect-identities.md#entra-connect-sync-is-configured-with-service-principal-credentials) | None (included with Microsoft Entra ID) |
+| [Directory sync account is locked down to specific named location](zero-trust-protect-identities.md#directory-sync-account-is-locked-down-to-specific-named-location) | Microsoft Entra ID P1 |
 | [No usage of ADAL in the tenant](zero-trust-protect-identities.md#no-usage-of-adal-in-the-tenant) | None (included with Microsoft Entra ID) |
 | [Block legacy Azure AD PowerShell module](zero-trust-protect-identities.md#block-legacy-azure-ad-powershell-module) | None (included with Microsoft Entra ID) |
 | [Enable Microsoft Entra ID security defaults for free tenants](zero-trust-protect-identities.md#enable-microsoft-entra-id-security-defaults-for-free-tenants) | None (included with Microsoft Entra ID) |
diff --git a/docs/fundamentals/zero-trust-protect-identities.md b/docs/fundamentals/zero-trust-protect-identities.md
@@ -119,9 +119,15 @@ The recommendations and Zero Trust checks that are part of this pillar help redu
 ### Users have strong authentication methods configured
 [!INCLUDE [21801](../includes/secure-recommendations/21801.md)]
 
+### Reduce the user-visible password surface area
+[!INCLUDE [21889](../includes/secure-recommendations/21889.md)]
+
 ### User sign-in activity uses token protection
 [!INCLUDE [21786](../includes/secure-recommendations/21786.md)]
 
+### Token protection policies are configured
+[!INCLUDE [21941](../includes/secure-recommendations/21941.md)]
+
 ### All user sign-in activity uses phishing-resistant authentication methods
 [!INCLUDE [21784](../includes/secure-recommendations/21784.md)]
 
@@ -167,6 +173,9 @@ The recommendations and Zero Trust checks that are part of this pillar help redu
 ### Entra Connect Sync is configured with Service Principal Credentials
 [!INCLUDE [24570](../includes/secure-recommendations/24570.md)]
 
+### Directory sync account is locked down to specific named location
+[!INCLUDE [21834](../includes/secure-recommendations/21834.md)]
+
 ### No usage of ADAL in the tenant
 [!INCLUDE [21780](../includes/secure-recommendations/21780.md)]
 
diff --git a/docs/includes/secure-recommendations/21834.md b/docs/includes/secure-recommendations/21834.md
@@ -0,0 +1,29 @@
+---
+title: Directory sync account is locked down to specific named location
+ms.author: sarahlipsey
+author: shlipsey3
+ms.service: entra-id
+ms.topic: include
+ms.date: 03/05/2026
+ms.custom: Identity-Secure-Recommendation
+ai-usage: ai-assisted
+# minimumlicense:
+# sfipillar: Protect identities and secrets
+# category: Access control
+# risklevel: High
+# userimpact: Low
+# implementationcost: Medium
+---
+Directory synchronization accounts are highly privileged service accounts that facilitate identity synchronization between on-premises Active Directory and Microsoft Entra ID. Without location-based access controls, threat actors who compromise these accounts can synchronize malicious changes from any location, including unauthorized networks or geographic regions.
+
+Once a directory sync account is compromised, threat actors can:
+- Manipulate identity synchronization processes
+- Create unauthorized user accounts
+- Escalate privileges of existing accounts
+- Persist access by modifying synchronization rules
+
+Unrestricted network access allows threat actors to operate remotely from compromised infrastructure, making detection harder while maintaining long-term access to the hybrid identity environment. Restricting these accounts to trusted named locations through Conditional Access policies limits the attack surface by ensuring synchronization operations only occur from authorized network locations.
+
+**Remediation action**
+
+- [Block access by location with Conditional Access](/entra/identity/conditional-access/policy-block-by-location).
diff --git a/docs/includes/secure-recommendations/21889.md b/docs/includes/secure-recommendations/21889.md
@@ -0,0 +1,25 @@
+---
+title: Reduce the user-visible password surface area
+ms.author: sarahlipsey
+author: shlipsey3
+ms.service: entra-id
+ms.topic: include
+ms.date: 03/04/2026
+ms.custom: Identity-Secure-Recommendation
+ai-usage: ai-assisted
+# minimumlicense:
+# sfipillar: Protect identities and secrets
+# category: Authentication
+# risklevel: High
+# userimpact: Medium
+# implementationcost: Medium
+---
+Organizations with extensive user-facing password surfaces expose multiple entry points for credential-based attacks. Threat actors often begin with credential stuffing using compromised credentials from data breaches, followed by password spraying to test common passwords across multiple accounts. Once initial access is gained, they conduct credential discovery by examining browser password stores, cached credentials in memory, and credential managers to harvest additional authentication materials. These stolen credentials enable lateral movement to more systems and applications, often escalating privileges by targeting administrative accounts that still rely on password authentication.
+
+Without passwordless methods like Windows Hello for Business, FIDO2 security keys, and Microsoft Authenticator deployed broadly, every password prompt is an opportunity for interception and exploitation. Reducing the password surface area limits these attack vectors and reduces the overall exposure to credential-based threats.
+
+**Remediation action**
+
+- [Plan a phishing-resistant passwordless authentication deployment](/entra/identity/authentication/how-to-plan-prerequisites-phishing-resistant-passwordless-authentication).
+- [Enable passkeys (FIDO2)](/entra/identity/authentication/how-to-enable-passkey-fido2).
+- [Configure Windows Hello for Business](/windows/security/identity-protection/hello-for-business/).
diff --git a/docs/includes/secure-recommendations/21941.md b/docs/includes/secure-recommendations/21941.md
@@ -0,0 +1,23 @@
+---
+title: Token protection policies are configured
+ms.author: sarahlipsey
+author: shlipsey3
+ms.service: entra-id
+ms.topic: include
+ms.date: 03/09/2026
+ms.custom: Identity-Secure-Recommendation
+ai-usage: ai-assisted
+# minimumlicense: P1
+# sfipillar: Protect identities and secrets
+# category: Access control
+# risklevel: Medium
+# userimpact: Low
+# implementationcost: Medium
+---
+Without the Token Protection Conditional Access policy, threat actors who steal sign-in session tokens can replay them from any device to gain unauthorized access to resources. Token theft allows attackers to bypass authentication entirely because the stolen token is already a valid proof of identity. This access vector enables lateral movement, privilege escalation, and data exfiltration without triggering reauthentication challenges.
+ 
+Token protection in Microsoft Entra ID binds sign-in session tokens to the device where they were originally issued, rendering stolen tokens unusable on attacker-controlled devices. Configuring the Conditional Access Token Protection policy for Windows and Apple platforms ensures that sign-in session tokens for critical services like SharePoint Online and Exchange Online can't be replayed from unauthorized endpoints.
+
+**Remediation action**
+
+- [Configure token protection in Conditional Access](/entra/identity/conditional-access/concept-token-protection#create-a-conditional-access-policy).
diff --git a/docs/includes/secure-recommendations/21953.md b/docs/includes/secure-recommendations/21953.md
@@ -4,7 +4,7 @@ ms.author: joflore
 author: MicrosoftGuyJFlo
 ms.service: entra-id
 ms.topic: include
-ms.date: 10/07/2025
+ms.date: 03/05/2026
 ms.custom: Identity-Secure-Recommendation
 # minimumlicense: P1
 # sfipillar: Protect identities and secrets
@@ -13,7 +13,11 @@ ms.custom: Identity-Secure-Recommendation
 # userimpact: Low
 # implementationcost: Medium
 ---
-Without Local Admin Password Solution (LAPS) deployed, threat actors exploit static local administrator passwords to establish initial access. After threat actors compromise a single device with a shared local administrator credential, they can move laterally across the environment and authenticate to other systems sharing the same password. Compromised local administrator access gives threat actors system-level privileges, letting them disable security controls, install persistent backdoors, exfiltrate sensitive data, and establish command and control channels. 
+Without Local Admin Password Solution (LAPS) deployed, threat actors exploit static local administrator passwords to establish initial access. After threat actors compromise a single device with a shared local administrator credential, they can move laterally across the environment and authenticate to other systems sharing the same password. Compromised local administrator access gives threat actors system-level privileges, which lets them accomplish a wide range of malicious activities, including:
+- Disable security controls
+- Install persistent backdoors
+- Exfiltrate sensitive data
+- Establish command and control channels
 
 The automated password rotation and centralized management of LAPS closes this security gap and adds controls to help manage who has access to these critical accounts. Without solutions like LAPS, you can't detect or respond to unauthorized use of local administrator accounts, giving threat actors extended dwell time to achieve their objectives while remaining undetected.
 
diff --git a/docs/includes/secure-recommendations/21954.md b/docs/includes/secure-recommendations/21954.md
@@ -4,7 +4,7 @@ ms.author: joflore
 author: MicrosoftGuyJFlo
 ms.service: entra-id
 ms.topic: include
-ms.date:
+ms.date: 03/04/2026
 ms.custom: Identity-Secure-Recommendation
 # minimumlicense: Free
 # sfipillar: Protect tenants and isolate production systems
@@ -13,7 +13,7 @@ ms.custom: Identity-Secure-Recommendation
 # userimpact: Low
 # implementationcost: Low
 ---
-When non-administrator users can access their own BitLocker keys, threat actors who compromise user credentials gain direct access to encryption keys without requiring privilege escalation. Once attackers obtain BitLocker keys, they can decrypt sensitive data stored on the device, including cached credentials, local databases, and confidential files.
+When non-administrator users can access their own BitLocker keys, threat actors who compromise user credentials can gain direct access to encryption keys without requiring privilege escalation. Once attackers obtain BitLocker keys, they can decrypt sensitive data stored on the device, including cached credentials, local databases, and confidential files.
 
 Without proper restrictions, a single compromised user account provides immediate access to all encrypted data on that device, negating the primary security benefit of disk encryption and creating a pathway for lateral movement. 
 
