Hybrid Identity Attack Surface: Where On-Prem AD and Entra ID Create Unexpected Risk

I was on a call with a Fortune 500 IR team when the question came out of left field: "How did they get into our Microsoft 365 environment when everything's in Azure and we don't even use on-prem Exchange anymore?"

The answer came fast: AD Connect sync server. The attacker had compromised that server months earlier, used it to create a backdoor account with password sync enabled, and waited until the target user logged into Microsoft 365 to pivot.

Hybrid identity deployments create attack surfaces that don't exist in cloud-only Entra ID environments. Every sync connection, every authentication bridge, is a potential vector for attackers to move between on-premises Active Directory and Entra ID.

I've seen this pattern repeatedly across engagements. Organizations deploy hybrid identity with good intentions—seamless SSO, shared password policies, gradual migration—but they rarely assess the attack surface those connections create.

What Hybrid Identity Actually Means

Let's be clear about what we're talking about. Hybrid identity in the Microsoft ecosystem means:

• Password Hash Sync (PHS): Password hashes from on-prem AD sync to Entra ID
• Pass-through Authentication (PTA): Authentication requests pass through an on-prem agent to the domain controller
• Federation with ADFS: On-prem Active Directory Federation Services handles authentication
• AD Connect sync: User, group, and contact objects sync between on-prem AD and Entra ID

Each of these creates different security implications. The more bridges you have between environments, the more paths attackers can use to cross from one domain to another.

The Synchronization Attacks

Password Hash Sync Risks

When you enable password hash sync, you're essentially replicating your on-prem credentials to the cloud. This creates a few attack vectors:

1. Compromised sync account: The account AD Connect uses to connect to Azure (typically a Global Admin) is high-value. If an attacker compromises this account, they can manipulate the sync.
2. Password spray on synced accounts: If an attacker gets a list of synced email addresses, they can test those passwords against both on-prem and cloud resources.
3. Golden ticket equivalent: If an attacker can modify the sync account's password in Entra ID, they could potentially create a backdoor that persists even if on-prem credentials change.

The real danger isn't the sync itself—it's that you're maintaining two copies of your credential data. More copies mean more opportunities for compromise.

Pass-through Authentication Pitfalls

PTA seems simpler than PHS, but it has its own risks:

1. Agent server compromise: The PTA agent runs on an on-prem server. If that server is compromised, the attacker has access to all authentication requests.
2. No offline capability: PTA requires connectivity to the agent server. Attackers who can disrupt this connectivity can cause denial of service.
3. Credential exposure: The PTA agent stores credentials locally on the agent server. If an attacker can access those credentials, they have a path back to your domain controllers.

I've seen attackers enumerate PTA agent servers through DNS scans, then target them specifically for credential extraction.

Federation with ADFS

Federation seems more complex, but it's actually the most dangerous if misconfigured:

1. Token signing key compromise: If an attacker gets the ADFS token signing keys, they can forge any SAML token and authenticate as anyone.
2. Relay attacks: ADFS endpoints can be targeted for relay attacks, especially if TLS termination happens at a load balancer before ADFS.
3. Trust relationship exploitation: If the trust between your on-prem AD and Entra ID is compromised, attackers can create long-lived access.

The critical mistake I see most often: organizations secure their ADFS farm but forget about the proxy servers. Those WAP (Web Application Proxy) servers are often less hardened and become the entry point.

Authentication Bridge Vulnerabilities

The Seamless SSO Trap

Seamless SSO in Entra ID is supposed to make on-prem authentication smoother. In practice, it creates a vulnerability.

Seamless SSO uses a shared secret between your on-prem AD and Entra ID. This secret is stored in Entra ID and replicated to domain controllers via the AD Connect sync.

Here's what happens when that secret gets exposed:

1. Dormant account abuse: An attacker finds a dormant account in Entra ID that syncs from on-prem. They reset the password hash in on-prem AD using the shared secret.
2. No MFA enforcement: Seamless SSO can bypass MFA if the on-prem authentication doesn't enforce it.
3. Password sprays become silent: Attackers can reset passwords for multiple accounts using the shared secret, then attempt login with new credentials.

I once found a compromised account where the attacker used seamless SSO to reset passwords on 200+ accounts over a weekend. The organization had no detection for password change events from the cloud.

The Delta Sync Window

AD Connect performs delta syncs every 30 minutes by default. This creates a timing vulnerability:

1. Delete-and-recreate attacks: An attacker deletes a user in on-prem AD, waits for sync to propagate, creates a new user with the same email in Entra ID only, then waits for the next sync cycle.
2. Role assignment hijacking: If an attacker can influence who gets synced and when, they can create scenarios where privileged users don't sync properly while their own backdoor account does.
3. Stale credentials: If an employee leaves and their on-prem account gets disabled but the sync hasn't run yet, they might still be able to authenticate via Entra ID.

The window isn't large, but it's enough for sophisticated attackers to establish persistence.

The Identity Synchronization Attack Path

Here's a real pattern I've seen multiple times:

1. Initial access: Attacker compromises a domain-joined workstation via phishing or exploit.
2. Lateral movement to sync server: Using credentials from the initial compromise, attacker moves to the AD Connect server (often poorly secured because it's "just a sync server").
3. Credential access: Attacker extracts the Azure AD Connect sync account credentials from the server or registry.
4. Cloud access: Using those credentials, attacker authenticates to Entra ID with Global Admin rights.
5. Persistence: Attacker creates a guest user in Entra ID, grants themselves Global Admin, then disables the Azure AD Connect sync to prevent detection.
6. Lateral movement back: Attacker uses their Entra ID Global Admin access to compromise other cloud resources.

The key insight: hybrid identity turns a single point of compromise into a two-domain compromise. Once you're in the sync server, you have access to both environments.

Detection Gaps I Consistently Find

Organizations often have excellent detection for on-prem AD attacks and separate detection for Entra ID, but the gaps between them are where attackers thrive.

Missing Cross-Domain Correlation

• Password change events on the sync server not correlated with Entra ID password reset events
• Authentication anomalies in Entra ID that should trigger checks on the on-prem side
• Sync failures not investigated as potential attack indicators

I've seen incidents where sync was disabled for weeks before detection. The attackers needed it disabled to prevent their activities from syncing back.

Weak Sync Account Protection

• Sync accounts with excessive permissions (Global Admin when Contributor would suffice)
• No monitoring on sync account activity
• Shared credentials across multiple environments

Inconsistent Authentication Policies

• On-prem MFA required but cloud access not enforcing it
• Different password complexity requirements between environments
• Missing session controls for hybrid-authenticated users

Mitigation Priorities

Priority 1: Secure the Sync Infrastructure

• Dedicated hardware or VMs for AD Connect servers, isolated from other workloads
• Least privilege sync accounts - use the Azure AD Connect Health service account with minimal permissions
• Network segmentation - sync servers should only communicate with domain controllers and Azure endpoints

Priority 2: Monitor the Bridges

• Sync server monitoring - alert on any login to AD Connect servers, especially interactive logons
• Delta sync monitoring - alert on unexpected sync failures or delayed syncs
• Authentication bridge logging - log all PTA agent and ADFS proxy access

Priority 3: Enforce Consistent Controls

• Conditional Access for all users, regardless of authentication method
• MFA enforcement at the Entra ID level, not just on-prem
• Regular access reviews for hybrid identity configurations

Priority 4: Test Your Assumptions

• Breach simulation: Test whether compromising the sync server actually gives cloud access
• Authentication path mapping: Document every authentication bridge and verify it's necessary
• Fallback scenario testing: What happens if the sync server goes down? Can you authenticate?

The Bottom Line

Hybrid identity is often deployed as a transitional state between on-prem and cloud, but many organizations stay in hybrid forever without assessing the attack surface they've created.

The critical question isn't "Do we need hybrid identity?" It's "What attack paths have we created by maintaining these bridges between on-prem and cloud?"

If you're in hybrid, audit your authentication bridges. Document what's syncing, how it syncs, and what would happen if each component was compromised.

Then assume attackers have found those bridges. Design your detection and response around that assumption.