(844) 442-9462(844) 442-9462Free TrialFree TrialContact SalesContact SalesSign inSign in
Cygna Labs
<b>IPControl</b> Software
IPControl Software

Advanced DDI software for Linux or Windows

<b>Sapphire</b> Appliances
Sapphire Appliances

Secure, multi-platform DDI appliances

<b>DDI</b> Services
DDI Services

Tiered support and managed DDI services

<b>DDI</b> Security
DDI Security

DDI defense-in-depth protections

<b>DNSSEC</b> Appliances
DNSSEC Appliances

Automated DNS integrity and authentication

<b>IPAM</b> Auditor Appliance
IPAM Auditor Appliance

Rich DDI reporting, auditing, and forensics

<b>ImageControl</b> Software
ImageControl Software

Scalable DOCSIS firmware management

<b>Sapphire</b> Automation Appliances
Sapphire Automation Appliances

Drag-and-drop DDI API automation

<b>IPAM</b> Executive Failover Appliances
IPAM Executive Failover Appliances

DDI management resiliency

DDI Guard Software
DDI Guard Software

DDI transaction reporting and filtering

Products
IT Managers
IT Managers

Keep your network and business running

DevOps Engineers
DevOps Engineers

Insert DDI automation effortlessly

Security Professionals
Security Professionals

Add a DDI defense-in-depth layer

Business Professionals
Business Professionals

Maximize returns with comprehensive DDI

Cloud Architects
Cloud Architects

Consolidate cloud subnet, IP & DNS data

Solutions
Resource center
Resource center

Explore Cygna Labs' library of white papers, webinars and other helpful content

Blog
Blog

Intriguing DDI and Compliance posts

Newsroom
Newsroom

Keep up with our blistering news feed

Webinars
Webinars

Educational technology webinars

Events
Events

Come see us at upcoming industry events

Success stories
Success stories

How real businesses accelerate their growth with us

White Papers
White Papers

Read about the many ways Cygna Labs can enhance your diverse network initiatives.

Resources
About us
About us

Learn what makes us great

Leadership
Leadership

Meet our executive team

Partners
Partners

View our growing partner integrations

Careers
Careers

Come join our rapidly growing team

Company
Book a Demo
shield

Strengthen your organization’s cybersecurity posture with software solutions from Cygna Labs

  1. Home

  2. Blog

  3. Entra ID Account Takeover – Part 1

CybersecuritySync attackEntra ID Security

Entra ID Account Takeover – Part 1

Morgan Holm

Morgan Holm

Jun 18, 2024

Entra ID Account Takeover – Part 1

There are multiple ways for a bad actor to take over an Entra ID account from on-prem Active Directory (AD) using Entra (Azure AD) Connect. There should be no surprise that the main accounts targeted are privileged, especially Global Admin (GA). This blog post, Entra ID Account Takeover – Part 1, covers what Entra ID (Azure AD) Connect is and how the Entra Connect Sync process keeps identities synchronized across AD and Entra ID.

Entra (Azure AD) Connect

Microsoft Entra Connect is an on-prem Microsoft application that allows users to sign in to both cloud and on-prem resources by using the same passwords. Most organizations use it for their users to sign on to Microsoft 365 or other Entra ID applications or resources. Microsoft Entra Connect Sync is used to synchronize identity data between on-prem and the cloud by provisioning, removing, and keeping them up to date so organizations don’t need to manage and harmonize all their identities in both on-prem and in the cloud. It supports the following different methods providing seamless single sign on (SSO):

  • Cloud Authentication – Entra ID handles the authentication process and can do this by:

    • Password hash synchronization (PHS) – Password Hash Sync with the same username and password that they use on-prem.
    • Pass-through authentication (PTA) – Similar to password hash sync but provides validation using on-prem agents.

  • Federated Authentication – Microsoft Entra ID will pass off the auth process to a separate trusted system, such as ADFS or a 3rd party federation system such as PingFederate.

Entra Connect Sync Matching

Entra Connect Sync can be configured to provision new incoming objects from AD to Entra ID and to keep them synchronized. A hard match uses msDS-ConsistencyGUID attribute (or ObjectGUID) from on-prem AD. This attribute value is the corresponding ImmutableID in Microsoft Entra ID. A soft match uses UserPrincipalName (UPN) proxyAddress. If password sync is used, then the password in Entra ID is overwritten with the password from on-prem AD. The process also keeps the objects and passwords synchronized when they are changed in AD, it will be then propagated to Entra ID which is the most common scenario.

The sync process creates opportunities for abuse. An attacker that has or gained on-prem access to AD could compromise Entra ID. Find out how these attacks could be accomplished and what you can do to mitigate the risk. Also, what to look for to see if they are occurring in your environment in part 2 of the blog post.