Hybrid Identity Miscellaneous Attacks

Reading time: 3 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Forcing Synchronization of Entra ID users to on-prem

As mentioned in https://www.youtube.com/watch?v=JEIR5oGCwdg, it was possible to change the value of ProxyAddress inside an AD user in the on-prem AD adding the email of an Entra ID admin user and also making sure the UPN of the user in AD and in Entra ID matched (this is the Entra ID again), like SMTP:admin@domain.onmicrosoft.com. And this would force the synchronization of this user from Entra ID to the on-prem AD, so if the password of the user was known, it could be used to access the admin used in Entra ID.

In order to synchronize a new user from Entra ID to the on-prem AD these are the requirements the only requirements are:

  • Control the attributes of a user in the on-prem AD (or have permissions to create new users)
  • Know the user cloud-only to synchronize from Entra ID to the on-prem AD
  • You might also need to be able to change immutableID attribute from the Entra ID user to the on-prem AD user to do a hard match.

caution

Entra ID doesn't allow to synchronize admins anymore from Entra ID to the on-prem AD. Also, this won't bypass MFA.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks