The on-prem AD user is synchronized to the Entra ID user.
The on-prem user may be able to authenticate as the Entra user with its own password if password hash synchronization, pass-through authentication, or seamless single sign-on is enabled.
Abuse Info
An attacker may authenticate as the synchronized Entra user using the on-prem user’s credentials, for example by dumping the user’s plain-text credential from memory, key-logging the user’s password, or by changing the on-prem user’s password and authenticating with that new password.
Opsec Considerations
The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password reset operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry when the on-prem agent synchronizes the new password hash up to Entra.
References
What is Password Hybrid Sync
How to connect Pass-Through Auth
How to connect Single Sign-on
Updated