Breaching Azure Intro
Introduction to Azure
Breaching SolarDrops
Breaching Bogus Bank

BA 13 – Microsoft Entra Connect & MSOL

Microsoft Entra Connect Sync, also known as directory synchronization, is a tool provided by Microsoft for synchronizing on-premises directory objects with Entra ID. This synchronization enables a seamless integration between on-premises identities and cloud-based services, facilitating a unified identity management experience. The primary purpose of Microsoft Entra Connect Sync is to streamline user authentication and access to various Microsoft cloud services, such as Microsoft 365 and Azure services.

Several types of synchronization are supported by Microsoft Entra Connect Sync, including:

Password hash synchronization (PHS): This method synchronizes a hash of a user’s on-premises Active Directory password to Entra ID, allowing users to sign in to cloud-based services using the same password they use on-premises.

Pass-through authentication (PTA): With PTA, user authentication requests are validated against the on-premises Active Directory instead of Entra ID. This method provides a single sign-on (SSO) experience for users, without the need to synchronize passwords to the cloud.

Federation: This method involves federating an on-premises Active Directory with Entra ID using Active Directory Federation Services (AD FS). With federation, authentication requests are redirected to the on-premises infrastructure for validation.

How password hash synchronization works with Microsoft Entra ID.

Microsoft Entra Connect Sync is closely related to Microsoft Online Services Sign-in Assistant (MSOL), which is a component of Microsoft Entra Connect. MSOL facilitates user sign-in for Microsoft cloud services by providing a connection between the user’s on-premises identity and Entra ID. It helps manage user authentication and access to cloud-based applications and resources. During the installation of Microsoft Entra Connect creates two on-premises accounts for replication/synchronization (MSOL Account and Managed Service Account) and one account in Entra ID for synchronization purposes. These accounts have privileges (On-Premises Directory Synchronization Service Account) to modify and manipulate Entra ID accounts.

In the scenario where the attacker gained local admin access to a server where the Microsoft Entra Connect is installed, the attacker is able to extract the MSOL credentials from the database (ADSync.mdf) and use it to escalate privileges and potentially compromise Azure cloud resources.

Additional Reading: