Suspicious AD Synchronization Role Assignment

HIGH

Description

You can synchronize Microsoft Entra ID with Active Directory using either Microsoft Entra Connect (formerly Azure AD Connect) or Microsoft Entra Cloud Sync (formerly Azure AD Connect Cloud Sync). Microsoft provides two built-in roles specifically designed for the service accounts used by these synchronization tools.

Attackers can exploit these roles by assigning them to security principals—such as users, service principals, or groups—that they control, enabling privilege escalation or long-term persistence. These roles are particularly attractive for several reasons:

  • They remain privileged. Although Microsoft removed several sensitive Entra ID permissions from these roles during a security hardening update in August 2024, Tenable Research found that they still retain implicit permissions through a specific API. As a result, the roles continue to provide powerful access.
  • They operate stealthily. Because administrators rarely assign these roles manually, they are hidden from view in both the Azure and Entra portals. They do not appear in the list of Entra roles or under the “assigned roles” section for a given principal—making them ideal for covert use.
  • One role is undocumented. Microsoft has not documented the "On Premises Directory Sync Account" role, further increasing the risk of undetected abuse.

This Indicator of Exposure uses the following logic to detect suspicious security principals assigned to these roles:

  • For the "Directory Synchronization Accounts" role: The detection relies on multiple heuristics to identify assignees that do not align with the typical service accounts used by Microsoft Entra Connect or Microsoft Entra Cloud Sync.
  • For the "On Premises Directory Sync Account" role: Any assignment is flagged as suspicious, regardless of conditions, since this role has no known legitimate use.

Solution

Begin by evaluating the legitimacy of the identified suspicious security principal:

  • Tenant synchronization status: If the Entra tenant is not hybrid (i.e., not synchronized with Active Directory), neither of these roles should be assigned. In such cases, the reported assignment likely indicates either an illegitimate configuration or a leftover from a previously hybrid state.
  • Type of security principal: There are no legitimate scenarios where a Service Principal or Group should hold either of these roles.
  • When was this security principal created? Does the date actually correspond to the day of the directory synchronization setup with "Microsoft Entra Connect" or "Microsoft Entra Cloud Sync"?
  • In audit logs: does this security principal regularly perform directory synchronization tasks such as user update, creation, deletion, password change, etc.?
  • In sign-in logs: does this security principal regularly authenticate from IP addresses that likely belong to your organization?
  • If you use Microsoft Entra Connect, does its User Principal Name actually contain the name of the expected on-premises Microsoft Entra Connect server? (For example, if the server is called "AADCONNECT", then you can expect this UPN: "Sync_AADCONNECT_@..."). Does it have the expected Display Name "On-Premises Directory Synchronization Service Account"?
  • Redundant or anomalous role usage: If the "On Premises Directory Sync Account" role is assigned, consider: Why was this role used instead of—or in addition to—the standard "Directory Synchronization Accounts" role?

If you suspect a breach:

  • Perform a forensic investigation to confirm the alleged attack, identify the time and author of the attack, and assess the extent of the potential intrusion.
  • Review the audit logs to identify the potential malicious actions.

Neither these roles nor their assignees are visible in the Azure portal or the Entra admin center. To identify assignments, you must use alternative methods—such as the Microsoft Graph PowerShell cmdlets or query the Microsoft Graph API directly:

Connect-MgGraph -Scopes "RoleManagement.Read.All"
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "RoleTemplateId eq 'd29b2b05-8046-44ba-8758-1e26182fcf32'").Id | Format-List *
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "RoleTemplateId eq 'a92aed5d-d78a-4d16-b381-09adb37eb3b0'").Id | Format-List *

Or alternatively using the now deprecated Azure AD PowerShell cmdlets:

Connect-AzureAD
Get-AzureADDirectoryRole -Filter "RoleTemplateId eq 'd29b2b05-8046-44ba-8758-1e26182fcf32'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -Filter "RoleTemplateId eq 'a92aed5d-d78a-4d16-b381-09adb37eb3b0'" | Get-AzureADDirectoryRoleMember

If the identified security principal has no legitimate reason to hold one of these roles—and it is not being used by Microsoft Entra Connect or Entra Cloud Sync—you should remove the role assignment. You can do this using either of the following PowerShell cmdlets: Remove-AzureADDirectoryRoleMember or the Remove-MgDirectoryRoleMemberByRef Microsoft Graph PowerShell cmdlet. See the provided remediation script.

Indicator Details

Name: Suspicious AD Synchronization Role Assignment

Codename: SUSPICIOUS-DIRECTORY-SYNCHRONIZATION-ACCOUNTS-ROLE-ASSIGNMENT

Severity: High

Type: Microsoft Entra ID Indicator of Exposure

MITRE ATT&CK Information: