Privileged Entra Account Synchronized With AD (Hybrid)

If your organization has set up directory synchronization - for example with "Microsoft Entra Connect" (formerly "Azure AD Connect") or "Microsoft Entra Cloud Sync" (formerly "Azure AD Connect Cloud Sync") - to synchronize users (among others) from the on-premises Active Directory to the cloud Entra ID, you may be tempted to use hybrid AD accounts for privileged roles in Entra ID. However, this creates a pivoting opportunity for attackers who can extend their malicious control over Entra ID after they compromise Active Directory. They dispose of several techniques to impersonate any AD user and also apply this impersonation on Entra ID.

For this reason, Microsoft warns against this practice in its article "Protecting Microsoft 365 from on-premises attacks", considering that "there should be no on-premises account with administrative privileges in Microsoft 365" and recommending that you ensure that "no on-premises account has elevated privileges to Microsoft 365."

Microsoft recommends in its article "Protecting Microsoft 365 from on-premises attacks" to "use cloud-only accounts for Entra and Microsoft 365 privileged roles". Cloud-only accounts are accounts created in Entra ID that are not synchronized with Active Directory, which are the opposite of hybrid accounts. You must use dedicated cloud-only accounts for all privileged Entra role assignments.

Individuals who have a privileged cloud-only Entra account also tend to have an Active Directory account. They should use different passwords for their Active Directory and Entra accounts to isolate completely their Entra account in case of an AD compromise which can reveal their AD password. Raise awareness about the importance of separate passwords in order to make this isolation effective.

Security best practices also recommend having a separate account for privileged roles to keep the privileged cloud-only account (with a different password) separate from their normal Entra account, which can be a hybrid account.

After you create cloud-only accounts and train their owners to understand their purpose and how to use them, replace all privileged role assignments on the hybrid accounts that this Indicator of Exposure identified with the new cloud-only accounts.

Name: Privileged Entra Account Synchronized With AD (Hybrid)

Codename: PRIVILEGED-AAD-ACCOUNT-SYNC-WITH-AD-HYBRID

Severity: High