Clément Notin
@cnotin.bsky.social
Here's (finally!) what I've found about this 😉
bsky.app/profile/cnot...
bsky.app/profile/cnot...
Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse
Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchroniza...
tenable.com
April 24, 2025 at 1:46 PM
Here's (finally!) what I've found about this 😉
bsky.app/profile/cnot...
bsky.app/profile/cnot...
To summarize, these hardenings are great (and the new app will likely allow to support some security features), but it doesn't prevent everything or even introduces new cracks to monitor.
There's no magic to keep this feature working anyway 😉
There's no magic to keep this feature working anyway 😉
April 24, 2025 at 1:39 PM
To summarize, these hardenings are great (and the new app will likely allow to support some security features), but it doesn't prevent everything or even introduces new cracks to monitor.
There's no magic to keep this feature working anyway 😉
There's no magic to keep this feature working anyway 😉
And what about the new "Microsoft Entra AD Synchronization Service" application? 🤔
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact
April 24, 2025 at 1:39 PM
And what about the new "Microsoft Entra AD Synchronization Service" application? 🤔
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact
The Directory Synchronization Accounts role has lost most of its Entra permissions... but it retains implicit permissions to call the undocumented synchronization API 😯 ➡️ reset hybrid users' passwords
And so does the new "On Premises Directory Sync Account" Entra role 👀
And so does the new "On Premises Directory Sync Account" Entra role 👀
April 24, 2025 at 1:39 PM
The Directory Synchronization Accounts role has lost most of its Entra permissions... but it retains implicit permissions to call the undocumented synchronization API 😯 ➡️ reset hybrid users' passwords
And so does the new "On Premises Directory Sync Account" Entra role 👀
And so does the new "On Premises Directory Sync Account" Entra role 👀
⚠️ this is likely unsupported by Microsoft even though this method is advised to clean broken trust objects
support.microsoft.com/en-us/topic/...
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps
support.microsoft.com/en-us/topic/...
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps
KB5040758: Deleting a stale, corrupt, or orphaned Trust object in Active Directory - Microsoft SupportYour Privacy Choices Opt-Out Icon
support.microsoft.com
December 23, 2024 at 10:32 AM
⚠️ this is likely unsupported by Microsoft even though this method is advised to clean broken trust objects
support.microsoft.com/en-us/topic/...
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps
support.microsoft.com/en-us/topic/...
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps
Log-in as Domain or Schema admin
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0
December 23, 2024 at 10:32 AM
Log-in as Domain or Schema admin
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0
Damn indeed of course! I’m tired 😅
December 20, 2024 at 5:33 PM
Damn indeed of course! I’m tired 😅
But you can login without the invite? Because it was already sent earlier to the typod domain that the attacker didn’t own yet
December 20, 2024 at 5:29 PM
But you can login without the invite? Because it was already sent earlier to the typod domain that the attacker didn’t own yet
You mean it cannot work because the attacker would have to have the invite link too? I think so too 🤔
December 20, 2024 at 11:57 AM
You mean it cannot work because the attacker would have to have the invite link too? I think so too 🤔
Hey! Do you remember the podcast please?
December 20, 2024 at 11:54 AM
Hey! Do you remember the podcast please?