Suspicious "Directory Synchronization Accounts" Role Assignment

Entra ID has the "Directory Synchronization Accounts built-in role assigned to the Entra service account(s) that "Microsoft Entra Connect" (formerly "Azure AD Connect") or "Microsoft Entra Cloud Sync" (formerly "Azure AD Connect Cloud Sync") uses to allow directory synchronization from the on-premises Active Directory to the cloud Entra ID.

Attackers can assign this role to a security principal - such as User, Service Principal, or Group - that they control in order to gain privilege escalation or persistence. In particular, this role can interest attackers for the following reasons:

• It grants several sensitive Entra ID permissions.
• Since Entra ID administrators typically do not assign this role, it remains concealed within both the Azure and Entra portals, absent from the list of Entra roles and the "assigned roles" section of a security principal. This stealthy characteristic renders it an effective method for carrying out covert attacks.

This potential of abuse was described in this Tenable Research blogpost: Stealthy Persistence with "Directory Synchronization Accounts" Role in Entra ID

This Indicator of Exposure employs multiple heuristics to detect suspicious security principals that have this risky role assigned, especially when they don't align with typical Entra service accounts for Microsoft Entra Connect or Microsoft Entra Cloud Sync.

Begin by evaluating the legitimacy of the identified suspicious security principal:

• If the Entra tenant is not hybrid (i.e. not synchronized with Active Directory), this role should not be assigned. The reported security principal is either a leftover if the tenant was hybrid at some point, or illegitimate.
• Is this a security principal of User type? There are no legitimate cases where a Service Principal or a Group has this role assigned.
• When was this security principal created? Does the date actually correspond to the day of the directory synchronization setup with "Microsoft Entra Connect" or "Microsoft Entra Cloud Sync"?
• In audit logs: does this security principal regularly perform directory synchronization tasks such as user update, creation, deletion, password change, etc.?
• In sign-in logs: does this security principal regularly authenticate from IP addresses that likely belong to your organization?
• If you use Microsoft Entra Connect, does its User Principal Name actually contain the name of the expected on-premises Microsoft Entra Connect server? (For example, if the server is called "AADCONNECT", then you can expect this UPN: "Sync_AADCONNECT_@..."). Does it have the expected Display Name "On-Premises Directory Synchronization Service Account"?

If you suspect a breach:

• Perform a forensic investigation to confirm the alleged attack, identify the time and author of the attack, and assess the extent of the potential intrusion.
• Review the audit logs to identify the potential malicious actions.

Neither the "Directory Synchronization Accounts" role nor its assignees are visible in the Azure portal. To view them, you must use other methods such as the Microsoft Graph PowerShell cmdlets or the API directly:

Connect-MgGraph -Scopes "RoleManagement.Read.All"
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "RoleTemplateId eq 'd29b2b05-8046-44ba-8758-1e26182fcf32'").Id | Format-List *

Or alternatively using the now deprecated Azure AD PowerShell cmdlets:

Connect-AzureAD
Get-AzureADDirectoryRole -Filter "RoleTemplateId eq 'd29b2b05-8046-44ba-8758-1e26182fcf32'" | Get-AzureADDirectoryRoleMember

Finally, if the identified security principal does not have a legitimate reason to have this assigned role, and Microsoft Entra Connect or Microsoft Entra Cloud Sync does not use it, you should remove this role assignment. You can do this either with the Remove-AzureADDirectoryRoleMember Azure AD PowerShell cmdlet, or the Remove-MgDirectoryRoleMemberByRef Microsoft Graph PowerShell cmdlet.

Name: Suspicious "Directory Synchronization Accounts" Role Assignment

Codename: SUSPICIOUS-DIRECTORY-SYNCHRONIZATION-ACCOUNTS-ROLE-ASSIGNMENT

Severity: High

Type: Microsoft Entra ID Indicator of Exposure