No hybrid user with permanent role assignment on Control Plane
Why This Matters
If a hybrid user (a user synced from on-premises Active Directory) holds a permanent high-privileged role on the Microsoft 365 control plane, an attacker who compromises your on-premises environment can pivot to cloud resources without additional authentication. This bypasses your cloud security controls and creates a direct lateral movement path. Administrators should prioritize eliminating these hybrid role assignments to enforce strict separation between on-premises and cloud identities.
What Aether365 Checks
This check scans all Azure Active Directory role assignments on the control plane to identify any hybrid user (synced from on-premises) with a permanent high-privileged role, such as Global Administrator or Privileged Role Administrator. Aether365 flags these as violations in your Microsoft 365 security dashboard under the microsoft-365 check group.