Azure AD Connect: hybrid sync attacks from on-premises to the cloud
Azure AD Connect is the bridge that syncs your on-premises Active Directory with Entra ID, and like any bridge between two environments, it's also the path an attacker takes to escalate from one to the other. Compromising the sync server or its service account can grant full Entra ID access from an on-premises machine.
Why the Azure AD Connect server is a priority target
The server running Azure AD Connect stores, in its local database, the credentials needed to sync and — depending on the configured method — can potentially derive password hashes for every synced user. In practice it's a system with full visibility over the organization's identity, both on-premises and in the cloud, yet it rarely receives the same level of protection as a domain controller, despite having an equivalent impact if compromised.
MSOL account abuse and credential extraction
Azure AD Connect creates a local service account (usually prefixed MSOL_) with elevated permissions over the on-premises Active Directory so it can read and write the synced attributes. An attacker with administrative access to the sync server can extract that account's credentials from the local database (often encrypted with a key recoverable from the server itself) and use them to replicate Active Directory objects, including a DCSync attack that extracts password hashes for any domain user, without needing to touch a domain controller directly.
Pass-through Authentication and AD FS as additional vectors
If the organization uses Pass-through Authentication (PTA), the agents that validate credentials against the local Active Directory are another compromise point: an attacker controlling a PTA agent can intercept and log plaintext passwords as users sign in. If AD FS is used for federation instead, a compromised AD FS server lets the attacker forge SAML tokens and authenticate as any federated user without knowing their password — a scenario documented in real, high-profile incidents.
How to protect and audit hybrid sync infrastructure
The priority measures are: treating the Azure AD Connect server (and AD FS servers or PTA agents) with the same isolation and monitoring level as a domain controller — never as just another application server; strictly restricting who has administrative access to those servers; monitoring MSOL account activity and alerting on anomalous replication (a DCSync indicator); and, where feasible, migrating toward Cloud Sync or cloud-native authentication to reduce the on-premises credential exposure surface.
FAQ
Does migrating to Azure AD Cloud Sync eliminate this risk?
It significantly reduces it, but doesn't eliminate it entirely: Cloud Sync uses lightweight agents with fewer permissions than the classic Azure AD Connect install, but there's still a bridge between on-premises and the cloud that requires the same level of isolation and monitoring.
Does this risk apply if my company is 100% cloud, with no local Active Directory?
No. If you don't have an on-premises Active Directory or hybrid sync, this specific vector doesn't affect you. It's a risk specific to organizations in transition or in a permanent hybrid model, which are still the majority among Spanish businesses.