At 杏吧传媒, we鈥檙e constantly listening to our partners. And this one鈥檚 been loud and clear.
We鈥檙e excited to announce that one of the most requested features for聽杏吧传媒 Managed ITDR is now live: identity disablement and re-enablement for Active Directory (AD) synced identities, also known as hybrid identities.
This update closes a significant gap in our containment and remediation capabilities鈥攁nd it brings protection parity to the 47%+ of identities using AD sync in their Microsoft 365 configurations. Previously, these environments couldn鈥檛 fully benefit from 杏吧传媒-initiated identity containment. Now, that changes.
When 杏吧传媒 detects a compromised identity, one of the most effective ways to contain the threat is to disable that identity, just like isolating a device during a malware infection. But for organizations using Microsoft Entra Connect, disabling a cloud identity wasn鈥檛 enough.
Here鈥檚 why: when cloud-based disablement occurs, the on-prem Active Directory server鈥攙ia sync鈥攐ften re-enables the identity, sometimes within seconds. That leaves a critical gap where attackers can continue leveraging compromised credentials, and until now, it meant Managed ITDR couldn鈥檛 complete containment for these organizations.
In fact, in up to one in four identity-related incidents in AD-synced environments, 杏吧传媒 was only able to revoke sessions, often leading to multiple consecutive reports when threat actors regained access before partners were able to manually disable and remediate the malicious access.
That鈥檚 no longer the case.
With this new capability, Managed ITDR can now disable and re-enable AD-synced identities by communicating directly with the on-prem AD server via the 杏吧传媒 agent. If a customer has the 杏吧传媒 agent (v0.14.22 or later) installed on a domain controller, 杏吧传媒 can initiate disablement actions at both the cloud and on-prem layers simultaneously.
This change is huge. It ensures that disablement sticks, eliminating the sync 鈥渢ug of war鈥 that previously made remediation unreliable.
Here鈥檚 what鈥檚 included:
If you鈥檙e already using 杏吧传媒 Managed EDR and have our agent deployed to your domain controllers, you鈥檙e good to go. No extra configuration needed.
If you鈥檙e not using EDR but are an ITDR customer, this functionality will not work for you today. We have plans to offer a free tier agent specifically for this task, and will keep you informed of when that functionality is available.
Some competitors try to work around this problem by disabling identities repeatedly on a timer鈥攅ssentially racing the sync cycle and bringing up reliability concerns at scale. That鈥檚 better than nothing, but still leaves critical gaps attackers can exploit in the window between syncs.
Our approach is surgical. We don鈥檛 just keep hammering the identity in the cloud. We disable it on-prem and in the cloud at the same time, using our agent as a bridge. That鈥檚 how you stop the threat, immediately and reliably.
Disabling a synced identity will cut off that user from all AD-integrated systems鈥攅mail, desktops, cloud apps, everything. That鈥檚 intentional. If an identity is compromised, we want full lockdown until it鈥檚 secure again.
That said, partners who need exceptions can use our existing identity exclusion features. We鈥檒l also be rolling out in-portal visibility and alerts to help partners understand when they鈥檙e in a directory-synced environment and what actions are available to them.
This capability isn鈥檛 theoretical. It was built with the complexities of real-world partner environments in mind. Whether you're protecting 10 identities or 10,000, we鈥檝e designed it to scale and work reliably without requiring you to babysit the sync cycle.
With over 2.5 million identities across 57k+ organizations in 杏吧传媒-monitored environments, this isn鈥檛 a niche edge case. It鈥檚 a critical capability that unlocks full remediation for a huge chunk of our user base.
This new functionality is available now for organizations running the 杏吧传媒 agent (v0.14.22+) on their domain controllers.
We鈥檒l be sharing full deployment instructions, documentation, and support articles to guide you through rollout. And, of course, if you have any questions, our team is here to help.
Let鈥檚 shut the door on this gap for good.
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
