Language:
You can synchronize Microsoft Entra ID with Active Directory using either Microsoft Entra Connect (formerly Azure AD Connect) or Microsoft Entra Cloud Sync (formerly Azure AD Connect Cloud Sync). Microsoft provides two built-in roles specifically designed for the service accounts used by these synchronization tools.
d29b2b05-8046-44ba-8758-1e26182fcf32
). Its potential for abuse was detailed in a Tenable Research blog post: Stealthy Persistence with "Directory Synchronization Accounts" Role in Entra ID.a92aed5d-d78a-4d16-b381-09adb37eb3b0
) is a newer role Tenable first identified in July 2024. It has a similar description and identical permissions to the "Directory Synchronization Accounts" role. However, Tenable Research discovered that this role is not used by either Microsoft Entra Connect or Entra Cloud Sync and currently has no known legitimate use—raising concerns about its purpose and potential for abuse.Attackers can exploit these roles by assigning them to security principals—such as users, service principals, or groups—that they control, enabling privilege escalation or long-term persistence. These roles are particularly attractive for several reasons:
This Indicator of Exposure uses the following logic to detect suspicious security principals assigned to these roles:
Begin by evaluating the legitimacy of the identified suspicious security principal:
If you suspect a breach:
Neither these roles nor their assignees are visible in the Azure portal or the Entra admin center. To identify assignments, you must use alternative methods—such as the Microsoft Graph PowerShell cmdlets or query the Microsoft Graph API directly:
Connect-MgGraph -Scopes "RoleManagement.Read.All"
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "RoleTemplateId eq 'd29b2b05-8046-44ba-8758-1e26182fcf32'").Id | Format-List *
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "RoleTemplateId eq 'a92aed5d-d78a-4d16-b381-09adb37eb3b0'").Id | Format-List *
Or alternatively using the now deprecated Azure AD PowerShell cmdlets:
Connect-AzureAD
Get-AzureADDirectoryRole -Filter "RoleTemplateId eq 'd29b2b05-8046-44ba-8758-1e26182fcf32'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -Filter "RoleTemplateId eq 'a92aed5d-d78a-4d16-b381-09adb37eb3b0'" | Get-AzureADDirectoryRoleMember
If the identified security principal has no legitimate reason to hold one of these roles—and it is not being used by Microsoft Entra Connect or Entra Cloud Sync—you should remove the role assignment. You can do this using either of the following PowerShell cmdlets: Remove-AzureADDirectoryRoleMember
or the Remove-MgDirectoryRoleMemberByRef
Microsoft Graph PowerShell cmdlet. See the provided remediation script.
Name: Suspicious AD Synchronization Role Assignment
Codename: SUSPICIOUS-DIRECTORY-SYNCHRONIZATION-ACCOUNTS-ROLE-ASSIGNMENT
Severity: High
Type: Microsoft Entra ID Indicator of Exposure