Active Directory Security Drift: How Identity Sprawl and Misconfiguration Create Invisible Risk

(00:00:00) Unconstrained Delegation and the Furnace (00:00:03) The Unconstrained Delegation Furnace (00:07:08) The Golden Ticket Attack (00:09:04) Krbtgt Rotation Rituals (00:13:07) The Backup Service Account Privilege (00:20:21) Local Administrator Reuse (00:27:19) SMB Signing and NTLM Relay (00:41:31) Group Policy Preferences and Passwords (00:48:15) Two-Way Forest Trust (00:48:49) The Intruder's Journey In Part 2 of this m365.fm series, Mirko Peters goes deeper into the gravitational pull of Active Directory and how unchecked identity sprawl, legacy design, and operational shortcuts quietly turn it into a black hole for security. Most organizations treat AD as stable infrastructure — accounts are created, groups are added, permissions are granted, and life moves on. But every exception, every “temporary” permission, and every legacy service account adds weight. This episode is about what happens when that weight turns into security drift: slow, invisible, and accelerating until something breaks in production or during an incident.WHY IDENTITY SYSTEMS NATURALLY DRIFT TOWARD INSECURITYThe assumption in many enterprises is that if access is reviewed occasionally and audits pass, identity is under control. It is not. Identity systems like Active Directory are constantly changing: projects launch, teams reorganize, mergers happen, vendors come and go. Each change adds new groups, roles, and permissions that rarely get cleaned up. Over time, privilege creep turns once-reasonable access models into sprawling risk surfaces. Security does not usually fail in a single moment. It decays slowly as accumulated decisions, shortcuts, and exceptions widen the blast radius of every future compromise.HOW SECURITY DRIFT ACCELERATES INSIDE ACTIVE DIRECTORYThis episode breaks down how security drift accelerates over time: from harmless-seeming group nesting to orphaned service accounts with excessive privileges, from one-off troubleshooting changes that never get rolled back to “temporary” access that quietly becomes permanent. Mirko walks through how misconfiguration at scale creates attack paths that defenders cannot see in traditional tools, why standard audits rarely catch identity-based exposure, and how lateral movement becomes easy once drift has taken hold. Instead of treating each issue as a one-off fix, identity security is reframed as a physics problem — governed by gravity, inertia, and entropy.WHAT YOU WILL LEARNWhy identity systems like Active Directory naturally drift toward insecurity over time.How permissions, groups, and service accounts silently accumulate risk as environments grow.The real-world impact of misconfiguration at scale on incident response and breach paths.How attack paths form and persist inside complex AD environments.Why traditional audits and point-in-time reviews miss identity-based threats.What it takes to reverse security drift instead of just slowing it down for the next audit cycle.KEY THEMES AND TOPICSPrivilege creep, access entropy, and how “just this once” changes become permanent.Service account abuse, automation risk, and hidden high-privilege identities.Lateral movement through identity systems and the paths attackers actually use.Delegation risks, inheritance failures, and the illusion of least privilege.Detection gaps in identity security and why visibility is often an illusion.How to think about Active Directory as critical infrastructure, not just directory plumbing.WHO THIS EPISODE IS FORBlue Team and SOC analysts who need to understand identity-driven attack paths.Identity and Access Management (IAM) engineers responsible for AD hygiene and design.Active Directory administrators maintaining complex, multi-forest or legacy-heavy environments.Security architects designing modern defenses on top of old identity foundations.CISOs and risk leaders who need language to explain “invisible” identity risk to the business.ABOUT THE HOSTMirko Peters is a Microsoft 365 expert, architect, and host of m365.fm. He works with organizations from small businesses to large enterprises on Microsoft 365 architecture, security, AI integration, governance design, and system architecture. His work focuses on designing context-driven systems that reduce complexity, enable autonomous execution, and create scalable performance across modern enterprises.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.