Federation in Microsoft Entra ID allows your organisation to delegate authentication to an external identity provider. When a federated domain is added, users with email addresses in that domain can authenticate using tokens issued by the external provider — rather than being validated directly by Entra ID. This is a powerful and legitimate capability used for hybrid environments and SSO with external partners.
However, if an attacker has Global Admin access, adding a rogue federated domain is one of the most persistent and hard-to-detect backdoors available. Using a technique known as Golden SAML, an attacker who controls the external identity provider can forge authentication tokens for any user in the federated domain — including admin accounts — without those users needing to authenticate at all. This backdoor can survive password resets and MFA changes, because the trust relationship bypasses Entra ID's own credential validation.
Federated domain additions are a legitimate part of configuring hybrid identity environments and SSO integrations. Legitimate scenarios include:
In all cases, domain federation is a significant architectural change that should have a corresponding project ticket, change management record, or configuration review. Any addition that cannot be immediately matched to an approved change is suspicious.
Overe Auto-Response: The New Federated Domain Added alert can be configured in Overe to trigger automatic session revocation or account block for the initiating admin when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response — given the severity of this indicator, an automated response is strongly recommended.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating a new federated domain alert, review these related risk areas: