Az AD Connect - Hybrid Identity

Support HackTricks

Basic Information

Integration between On-premises Active Directory (AD) and Azure AD is facilitated by Azure AD Connect, offering various methods that support Single Sign-on (SSO). Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments:

  • Pass-Through Authentication (PTA):

    • Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud).

    • Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem).

Az - PTA - Pass-through Authentication
  • Password Hash Sync (PHS):

    • Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user.

Az - PHS - Password Hash Sync
  • Federation:

    • Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities.

Az - Federation
  • Seamless SSO:

    • Theft of the AZUREADSSOACC user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user.

Az - Seamless SSO
  • Cloud Kerberos Trust:

    • Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD.

Az - Cloud Kerberos Trust
  • Default Applications:

    • Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files.

Az - Default Applications

For each integration method, user synchronization is conducted, and an MSOL_<installationidentifier> account is created in the on-prem AD. Notably, both PHS and PTA methods facilitate Seamless SSO, enabling automatic sign-in for Azure AD computers joined to the on-prem domain.

To verify the installation of Azure AD Connect, the following PowerShell command, utilizing the AzureADConnectHealthSync module (installed by default with Azure AD Connect), can be used:

Support HackTricks

Last updated