Hybrid Identity Security: The Hidden Permissions Risk in Entra ID Sync • William OGOU Cybersecurity Blog

In today’s IT environments, delivering a smooth user experience across both on-prem and cloud systems depends on hybrid identity—syncing user accounts and credentials between Active Directory (AD) and Microsoft Entra ID (formerly Azure AD).

While Microsoft has improved the security of this process, new research shows a lingering risk: some service accounts used for synchronization still have hidden, powerful permissions that could be misused.

This creates a potential security gap between your on-prem and cloud systems that you might not be aware of. Are your hybrid identities as secure as you think?

The Bridge: Understanding Entra ID Synchronization Roles

At the heart of hybrid identity synchronization lies specific service accounts in Entra ID with permissions to read and write changes between on-premises AD and the cloud. These accounts are used by Microsoft synchronization tools like Entra Connect (the older, more traditional sync engine) and Entra Cloud Sync (a newer, lighter agent).

Historically, the service account associated with this function held a role in Entra ID called Directory Synchronization Accounts. More recently, a new, distinct role has emerged: On-Premises Directory Sync Account. Both roles are intended for use by Microsoft’s synchronization software and are typically hidden from regular user views in the Azure Portal/Entra Admin Center.

Microsoft’s Hardening Efforts: Acknowledging and Addressing Explicit Risks

Recognizing the potential for abuse if these synchronization accounts were compromised or overly privileged, Microsoft undertook security hardening efforts. As part of this, in August 2024, Microsoft announced they had significantly reduced the explicitly listed permissions for the Directory Synchronization Accounts role. From a list of 48 permissions, the role was reduced to holding only one explicitly listed permission: microsoft.directory/onPremisesSynchronization/standard/read. On the surface, this looks like a strong move towards least privilege, making the role seem unprivileged.

The Persistent Threat: Unpacking Dangerous Implicit Permissions

Despite the welcome reduction in explicit permissions, security research reveals that both the old Directory Synchronization Accounts role and the newer On-Premises Directory Sync Account role retain access to a powerful, implicit permission via a private, undocumented Microsoft API: ADSynchronization.ReadWrite.All.

This permission, which isn’t listed when examining the role’s permissions explicitly, is anything but standard read access. It allows entities holding this permission to perform critical identity management operations for hybrid users synchronized from on-premises AD, including:

Creating and Editing Users: The ability to modify user accounts.
Resetting Hybrid User Passwords: A highly impactful privilege allowing unauthorized access to synchronized accounts.
Managing Synchronized Groups: Modifying group memberships, potentially impacting access controls.

The fact that this powerful permission is implicit and accessible via an undocumented API means it’s less visible, less monitored, and potentially overlooked by organizations relying solely on documented Entra ID permissions.

Proof of Concept: Password Reset Demonstrated

To validate this, research involved assigning a user only the seemingly unprivileged Directory Synchronization Accounts role and using tools like the AADInternals toolkit. Despite the lack of explicit write permissions, the user was able to successfully invoke the implicit ADSynchronization.ReadWrite.All capability via the private sync API to reset passwords for hybrid users. This practical demonstration underscores that the potential for abuse remains very real, even after the stated permission reductions.

The New App: Another Exposure Point

Adding another layer to this complex picture, Microsoft also introduced a dedicated first-party application called Microsoft Entra AD Synchronization Service. While intended for use by synchronization tools, security analysis shows this application also exposes the potent ADSynchronization.ReadWrite.All permission. Although this app isn’t yet widely used publicly, its availability creates another potential vector for attackers to seek out and leverage this dangerous permission if they gain a foothold.

Why These Roles Remain Privileged and Risky

From a security perspective, any identity holding the ADSynchronization.ReadWrite.All permission must be considered highly privileged and potentially dangerous. The ability to reset passwords or modify users/groups for synchronized identities represents a direct path to unauthorized access and control within the hybrid environment. Relying solely on Microsoft’s documentation or listed permissions can create a false sense of security if these implicit capabilities are not accounted for.

These permissions primarily impact hybrid users and the management of synchronized objects, rather than cloud-only identities or Entra ID applications, representing a specific but critical scope of risk for organizations with on-premises AD integrated with Entra ID.

Fortifying Your Hybrid Identity Security Posture

Given these findings, organizations must take proactive steps to identify and mitigate the risks associated with these Entra ID synchronization roles and the ADSynchronization.ReadWrite.All permission:

Identify and Inventory Risky Service Principals: Actively look for service principals or users in your Entra ID tenant that hold the Directory Synchronization Accounts or On-Premises Directory Sync Account roles. Treat any entity with access to the ADSynchronization.ReadWrite.All permission as a highly privileged identity. Tools designed for identity exposure management can be crucial here.
Apply Least Privilege & Strict Access Controls: Ensure that access to these synchronization roles and any associated service principals is restricted to the absolute minimum necessary, following the principle of least privilege. Implement strong access controls, including mandatory Multi-Factor Authentication (MFA), for any account capable of administering these synchronization components.
Continuous Monitoring & Auditing: Implement continuous monitoring and auditing of activities related to these synchronization roles and associated service principals. Look for unusual access patterns, permission changes, or calls to the Synchronization API. Alert on sensitive actions like password resets or user modifications performed by these accounts.
Treat as Privileged Accounts: Manage the service principals associated with hybrid synchronization with the same rigor as other highly privileged accounts (e.g., Global Administrators), even if their listed permissions appear limited.
Stay Informed & Verify: Keep abreast of Microsoft’s updates regarding synchronization services and identity permissions. Verify changes in your own tenant using tools and audits to ensure stated permission reductions match actual capabilities.

Conclusion: Vigilance is Paramount in the Hybrid World

Hybrid identity is fundamental to modern enterprise operations, but the security of the synchronization bridge between AD and Entra ID remains a critical exposure point. While Microsoft’s recent hardening efforts are positive steps, the persistence of potent, implicit permissions within specific synchronization roles, coupled with the introduction of a new application exposing this same power, underscores the need for constant vigilance.

Organizations cannot afford to be complacent based on documented permissions alone. By proactively identifying which identities hold these risky roles, treating them with the necessary security controls, and implementing robust monitoring, you can significantly strengthen your hybrid identity security posture and defend against potential abuse of these powerful synchronization capabilities.

Don’t let hidden permissions become your next security incident.

To further enhance your hybrid identity security posture, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

What are the Entra ID synchronization roles? These are specific roles assigned to service accounts used by Microsoft synchronization tools (Entra Connect, Entra Cloud Sync) to replicate identities between on-premises Active Directory (AD) and Entra ID. The primary roles discussed are Directory Synchronization Accounts and On-Premises Directory Sync Account.
Why are these roles considered a security risk? Despite recent hardening efforts, these roles retain powerful implicit permissions, specifically ADSynchronization.ReadWrite.All, accessible via a private API. This permission allows entities holding the role to manage synchronized hybrid users, including resetting passwords, which poses a significant risk if the account is compromised.
How does ADSynchronization.ReadWrite.All permission allow privilege escalation? While the roles’ explicit permissions might seem limited (e.g., read-only), the implicit ADSynchronization.ReadWrite.All permission allows write actions on hybrid users, including password resets. An attacker exploiting this could gain access to legitimate user accounts, effectively escalating their privileges within the hybrid environment.
When did Microsoft reduce the permissions on these roles? Microsoft announced and implemented a significant reduction in the explicitly listed permissions for the Directory Synchronization Accounts role in August 2024.
Who should monitor for these risky synchronization roles/permissions? Organizations using hybrid identity (synchronizing AD with Entra ID) should proactively monitor their Entra ID tenant to identify which service principals or users have these specific synchronization roles or the ADSynchronization.ReadWrite.All permission, and treat those identities as privileged.

Resources