Hybrid Identity Miscellaneous Attacks
{{#include ../../../banners/hacktricks-training.md}}
Forcing Synchronization of Entra ID users to on-prem
As mentioned in https://www.youtube.com/watch?v=JEIR5oGCwdg, it was possible to change the value of ProxyAddress inside an AD user in the on-prem AD adding the email of an Entra ID admin user and also making sure the UPN of the user in AD and in Entra ID matched (this is the Entra ID again), like SMTP:admin@domain.onmicrosoft.com. And this would force the synchronization of this user from Entra ID to the on-prem AD, so if the password of the user was known, it could be used to access the admin used in Entra ID.
In order to synchronize a new user from Entra ID to the on-prem AD these are the requirements the only requirements are:
- Control the attributes of a user in the on-prem AD (or have permissions to create new users)
- Know the user cloud-only to synchronize from Entra ID to the on-prem AD
- You might also need to be able to change immutableID attribute from the Entra ID user to the on-prem AD user to do a hard match.
β οΈ Caution
Entra ID doesn't allow to synchronize admins anymore from Entra ID to the on-prem AD.
Also, this **won't bypass MFA**.
References
- https://www.youtube.com/watch?v=JEIR5oGCwdg
- https://activedirectorypro.com/sync-on-prem-ad-with-existing-azure-ad-users/
- https://www.orbid365.be/manually-match-on-premise-ad-user-to-existing-office365-user/
{{#include ../../../banners/hacktricks-training.md}}