CrowdStrike is excited to announce the general availability of CrowdStrike Falcon® Identity Protection for Microsoft Entra ID, unifying prevention, detection and response to identity-based attacks across hybrid environments. This builds on our existing protection for leading cloud-based identity providers, on-premises Active Directory, and SaaS applications.
Threat actors continue to set their sights on organizations’ cloud environments. Adversaries like COZY BEAR and SCATTERED SPIDER relentlessly target cloud identity services like Microsoft Entra ID, using techniques such as password spraying and phishing attacks to break in. Once inside, they can register rogue devices, escalate privileges, and move laterally with compromised credentials in attacks spanning on-premises, cloud, and SaaS applications.
These cross-domain attacks exploit the security gaps between disjointed solutions protecting isolated areas of hybrid environments. Identity and access management (IAM) solutions alone cannot stop them, as they lack real-time threat detection and the ability to enforce security decisions based on active risk signals. Defending against these evolving threats requires organizations to stop external adversaries from gaining access, while rapidly detecting and eliminating threats that may already be inside — FAMOUS CHOLLIMA, for example, embeds malicious insiders at organizations to operate internally.
With inline prevention for Entra ID combined with advanced ITDR, CrowdStrike secures every part of the modern hybrid environment — from prevention to detection to response.
Table of Contents
Inline, Real-Time Prevention Strengthens Entra ID Protection
CrowdStrike Falcon® Identity Protection now supports Microsoft’s External Authentication Method (EAM) and sits inline with every Entra ID authentication request, giving organizations real-time control over identity-based attacks. This integration enables security teams to dynamically grant, block, or challenge access based on risk signals to prevent a compromise.
By combining Falcon Identity Protection risk scores, device trust signals, and threat intelligence, CrowdStrike acts as a security checkpoint for Entra ID authentication. Organizations can enforce access decisions that require a device to be registered in Entra ID, have the Falcon sensor installed, and meet a Zero Trust Assessment (ZTA) score threshold — all without relying solely on Microsoft’s native IAM tools. This ensures only trusted users and devices gain access, blocking adversaries trying to exploit stolen credentials.
For example, if an attacker using compromised credentials attempts to log in, CrowdStrike’s OpenID Connect (OIDC) integration can immediately block access, challenge the request with multifactor authentication (MFA), or enforce stricter controls. This proactive approach minimizes the attack surface and significantly reduces the risk of breaches.
Stop Lateral Movement in Hybrid Cloud Environments
In hybrid environments, organizations often rely on multiple identity providers. Adversaries exploit these setups to move laterally between systems. Falcon Identity Protection mitigates this risk by providing a unified interface to enforce access controls across identity providers.
Using real-time user risk scores, privileged visibility, and device trust data, CrowdStrike enables organizations to dynamically block high-risk logins, inject MFA challenges based on threat context, and prevent lateral movement between identity providers. This capability ensures a seamless experience for legitimate users while stopping adversaries in their tracks.
Learn more about real-time protection for Entra ID in this short video.
How to Configure CrowdStrike as an EAM in Entra ID
Microsoft Entra ID customers can easily configure CrowdStrike as an EAM. Follow these quick steps to set up this integration and start getting real-time Entra ID protection.
Prerequisites:
- The user setting up this integration must have administrator privileges in both Azure and Falcon.
- An Azure IDaaS connector in the same tenant as the OIDC connector has been set up. For detailed steps, see Falcon Identity Protection’s product documentation.
CrowdStrike Falcon Console: Setting Up an OIDC Connector
This process guides users through creating an OIDC client in the Falcon console, configuring its details, and obtaining necessary information for integration with the Azure portal.
STEP 1: In the Falcon console, click the main menu icon in the upper-left side of the screen. Then, click Identity Protection. Finally, click OIDC integrations under the “Configure” category.
STEP 2: On the OIDC integrations page, click Create OIDC client.
STEP 3: Enter a name for your OIDC client, then enter the following as the redirect URL: https://login.microsoftonline.com/common/federation/externalauthprovider. When both are entered, click Create.
STEP 4: Once created, click the three dots to the right of your OIDC client. Then, click OIDC client details from the dropdown.
STEP 5: Note the following values: Client ID, Discovery endpoint, and App ID. These will be used during setup in the Azure portal.
Azure Portal: Configure CrowdStrike as an EAM
Microsoft has detailed management of an external authentication method in Microsoft Entra ID in the following documentation: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage.
Follow the steps to Manage an EAM in the Microsoft Entra admin center, using the Client ID, and App ID from the Falcon console found in the previous section.
Unmatched Value with CrowdStrike Falcon Identity Protection
Falcon Identity Protection empowers organizations to stop adversaries. By integrating real-time threat prevention directly into Entra ID authentication flows, CrowdStrike helps organizations thwart identity-based attacks with precision. CrowdStrike’s extended capabilities for Entra ID reinforce its mission to prevent breaches by stopping identity-based attacks before they happen.
As part of the unified CrowdStrike Falcon® cybersecurity platform, Falcon Identity Protection uses advanced AI trained on trillions of security events, combined with native device (endpoint) trust data, cloud telemetry, and industry-leading threat intelligence to determine whether access should be granted, blocked, or challenged. With Falcon Identity Protection, organizations have seen up to 85% faster responses to identity attacks, up to 84% increase in operational efficiencies,1 and up to 310% return on investment.2
Learn how unified identity security can prevent modern cyberattacks in The Complete Guide to Building an Identity Protection Strategy.
Additional Resources
1. Based on BVA Analysis with Falcon Identity Protection customers. The BVA Analysis figures shown are projected estimates of average benefit based on recorded metrics provided by customers during pre-sale motions that compare the value of CrowdStrike with the customer’s incumbent solution. Actual realized value will depend on individual customer’s module deployment and environment.
Leave a Reply