Hybrid Identity Miscellaneous Attacks
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Forcing Synchronization of Entra ID users to on-prem
As mentioned in https://www.youtube.com/watch?v=JEIR5oGCwdg, it was possible to change the value of ProxyAddress
inside an AD user in the on-prem AD adding the email of an Entra ID admin user and also making sure the UPN of the user in AD and in Entra ID matched (this is the Entra ID again), like SMTP:admin@domain.onmicrosoft.com
. And this would force the synchronization of this user from Entra ID to the on-prem AD, so if the password of the user was known, it could be used to access the admin used in Entra ID.
In order to synchronize a new user from Entra ID to the on-prem AD these are the requirements the only requirements are:
- Control the attributes of a user in the on-prem AD (or have permissions to create new users)
- Know the user cloud-only to synchronize from Entra ID to the on-prem AD
- You might also need to be able to change immutableID attribute from the Entra ID user to the on-prem AD user to do a hard match.
caution
Entra ID doesn't allow to synchronize admins anymore from Entra ID to the on-prem AD. Also, this won't bypass MFA.
References
- https://www.youtube.com/watch?v=JEIR5oGCwdg
- https://activedirectorypro.com/sync-on-prem-ad-with-existing-azure-ad-users/
- https://www.orbid365.be/manually-match-on-premise-ad-user-to-existing-office365-user/
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.