SyncedToEntraUser

This article applies to BHCE and BHE

The on-prem AD user is synchronized to the Entra ID user.

The on-prem user may be able to authenticate as the Entra user with its own password if password hash synchronization, pass-through authentication, or seamless single sign-on is enabled.

Abuse Info

An attacker may authenticate as the synchronized Entra user using the on-prem user’s credentials, for example by dumping the user’s plain-text credential from memory, key-logging the user’s password, or by changing the on-prem user’s password and authenticating with that new password.

Opsec Considerations

The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password reset operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry when the on-prem agent synchronizes the new password hash up to Entra.

Updated