Cygna Labs
Book a Demo
shield

N3K becomes Cygna Labs Germany

  1. Home

  2. Blog

  3. Entra ID Account Takeover – Part 1

Entra ID Account Takeover – Part 1

Morgan Holm

Morgan Holm

Jun 18, 2024

Entra ID Account Takeover – Part 1

There are multiple ways for a bad actor to take over an Entra ID account from on-prem Active Directory (AD) using Entra (Azure AD) Connect. There should be no surprise that the main accounts targeted are privileged, especially Global Admin (GA). This blog post, Entra ID Account Takeover – Part 1, covers what Entra ID (Azure AD) Connect is and how the Entra Connect Sync process keeps identities synchronized across AD and Entra ID.

Entra (Azure AD) Connect

Microsoft Entra Connect is an on-prem Microsoft application that allows users to sign in to both cloud and on-prem resources by using the same passwords. Most organizations use it for their users to sign on to Microsoft 365 or other Entra ID applications or resources. Microsoft Entra Connect Sync is used to synchronize identity data between on-prem and the cloud by provisioning, removing, and keeping them up to date so organizations don’t need to manage and harmonize all their identities in both on-prem and in the cloud. It supports the following different methods providing seamless single sign on (SSO):

  • Cloud Authentication – Entra ID handles the authentication process and can do this by:

    • Password hash synchronization (PHS) – Password Hash Sync with the same username and password that they use on-prem.
    • Pass-through authentication (PTA) – Similar to password hash sync but provides validation using on-prem agents.
  • Federated Authentication – Microsoft Entra ID will pass off the auth process to a separate trusted system, such as ADFS or a 3rd party federation system such as PingFederate.

Entra Connect Sync Matching

Entra Connect Sync can be configured to provision new incoming objects from AD to Entra ID and to keep them synchronized. A hard match uses msDS-ConsistencyGUID attribute (or ObjectGUID) from on-prem AD. This attribute value is the corresponding ImmutableID in Microsoft Entra ID. A soft match uses UserPrincipalName (UPN) proxyAddress. If password sync is used, then the password in Entra ID is overwritten with the password from on-prem AD. The process also keeps the objects and passwords synchronized when they are changed in AD, it will be then propagated to Entra ID which is the most common scenario.

The sync process creates opportunities for abuse. An attacker that has or gained on-prem access to AD could compromise Entra ID. Find out how these attacks could be accomplished and what you can do to mitigate the risk. Also, what to look for to see if they are occurring in your environment in part 2 of the blog post.