Entra Connect Sync (AD Connect)

Status: Final

Entra Connect Sync (formerly Azure AD Connect) is the bridge between on-premises Active Directory and Entra ID. It synchronizes users, groups, and passwords (in PHS mode) from AD to the cloud. The sync account and the server it runs on are Tier 0 assets — compromising either collapses the isolation between on-prem and cloud entirely.

Synchronization Architecture

On-Premises AD                Entra Connect Server            Entra ID (Cloud)
    │                               │                               │
    │←── LDAP reads (sync account)──│                               │
    │                               │── HTTPS API calls ───────────>│
    │                               │   (tenant service account)    │

The Entra Connect server runs the sync engine. It reads AD via LDAP using a dedicated on-prem AD service account, and writes to Entra ID using a cloud service account (the Entra ID "Sync Account").

Synchronization Modes

Mode	How it works	Password sync	Cloud auth
Password Hash Sync (PHS)	NTLM hash derivatives synced to cloud	Yes (hash sent to cloud)	Cloud-native
Pass-through Authentication (PTA)	Auth request forwarded to on-prem DCs	No	On-prem DC validates
Federation (ADFS/PingFederate)	Auth completely delegated to on-prem STS	No	On-prem STS validates

PHS Security Note

In PHS, Entra Connect extracts a derivative of the NTLM hash (via a key derivation function) and syncs it to Entra ID. Microsoft describes this as a "hash of the hash" — not the raw NTLM hash. However, if the Entra Connect server is compromised, the raw hashes flow through the server's process space at sync time.

The Sync Account's Dangerous Privileges

On-Premises AD Account

The AD sync account requires — and is automatically granted — the following AD directory permissions:

Replicate Directory Changes on the domain
Replicate Directory Changes All on the domain

This is the exact set of permissions needed for DCSync attacks. The Entra Connect sync account is a DCSync-capable account in your environment.

# With the sync account's credentials:
secretsdump.py DOMAIN/SyncAccount:password@dc.domain.local -just-dc-ntlm
# → Full NTDS.dit dump

Cloud Service Account

The Entra ID cloud service account (visible in Entra ID as "On-Premises Directory Synchronization Service Account") has:

Ability to create and modify synchronized users
Password write-back rights (if enabled)

With password write-back enabled, compromising the cloud service account → reset any synced user's on-premises AD password → on-prem compromise from cloud.

Hybrid Attack Chains via Entra Connect

Attack Chain 1: Cloud → On-Premises (via Write-Back)

Compromise Entra ID Global Admin (device code phishing, token theft)
Use cloud account to trigger password write-back for a synced Domain Admin
Set new password for Domain Admin in on-prem AD
Authenticate to on-prem AD as Domain Admin

This is the cloud-to-on-prem pivot. A cloud-only attacker can reach on-premises AD through write-back.

Attack Chain 2: On-Premises → Cloud (via Sync Account)

Compromise any machine with access to Entra Connect server credentials
Extract sync account credentials (DPAPI, scheduled task, registry)
Use sync account to DCSync full NTDS.dit
   OR
Modify cloud-side user attributes to inject backdoor
   OR
Invoke password sync to push attacker-controlled hash to cloud account

Attack Chain 3: Entra Connect Server Takeover

Compromise the Entra Connect server (ransomware, lateral movement, etc.)
Run ADSyncDecrypt (public tool) to extract all sync account credentials
Full control of both AD and Entra ID

Public tools like AADInternals (Get-AADIntSyncCredentials) can dump the sync credentials from a compromised Entra Connect server.

Entra Connect Server Hardening

Hardening Action	Why
Treat as Tier 0 — same access controls as DCs	Sync account has DCSync rights
Enable PHS with password hash sync only from approved time windows	Reduce exposure window
Restrict who can log in to Entra Connect server	Principle of least privilege
Monitor for `Get-AADIntSyncCredentials` / `ADSyncDecrypt` execution	Tool-based credential extraction
Disable password write-back if not needed	Removes cloud → on-prem attack path

Telemetry

Source	Signal
Entra ID Audit Log	Sync account activity, user attribute changes from sync
Windows Security Log (Entra Connect server)	Logon events, process execution
AD Audit Log (4662)	Sync account performing replication
Entra ID Risk Detections	Anomalous sync account cloud activity

Cross-Links

Topic	Link
Entra Overview	entra-overview
DCSync Attack	dcsync
Golden SAML	golden-saml
Hybrid Attack Chains	hybrid-attack-chains

Synchronization Architecture​

Synchronization Modes​

PHS Security Note​

The Sync Account's Dangerous Privileges​

On-Premises AD Account​

Cloud Service Account​

Hybrid Attack Chains via Entra Connect​

Attack Chain 1: Cloud → On-Premises (via Write-Back)​

Attack Chain 2: On-Premises → Cloud (via Sync Account)​

Attack Chain 3: Entra Connect Server Takeover​

Entra Connect Server Hardening​

Telemetry​

Cross-Links​