Detections
Analytics
Privileged AD User Accounts Synchronized to Microsoft Entra ID
high
Language:
Description
Synchronizing privileged Active Directory accounts to Microsoft Entra ID poses a risk, enabling attackers to pivot from a compromised Entra ID tenant to on-premises Active Directory, facilitating their migration from the cloud.
Solution
Configure filtering in Entra Connect / Cloud Sync to exclude privileged Active Directory accounts from synchronization.
See Also
Azure Identity Management and access control security best practices
Démos d'attaques par rebond en environnement hybride Active Directory-Azure AD (French)
Indicator Details
Name: Privileged AD User Accounts Synchronized to Microsoft Entra ID
Codename: C-AAD-PRIV-SYNC
Severity: High
- Tactic: TA0004 - Privilege Escalation
- Techniques: T1078 - Valid Accounts
- Tactic: TA0006 - Credential Access
- Techniques: T1556 - Modify Authentication Process
- Tactic: TA0008 - Lateral Movement
- Techniques: T1021 - Remote Services: Cloud Services