Skip to content

On-premises Active Directory Hacks Microsoft 365 Services

In my previous article The End of Active Directory: Why Your Cybersecurity Strategy Demands Entra ID Now I wrote about the inherent incompatibility of Active Directory with modern enterprise security architectures and cloud strategies.

active directory and entra id

Originally published on LinkedIn

Only three months later, another design vulnerability was presented at BlackHat USA on 6th August 2025. As explained in the article New Active Directory Lateral Movement Techniques that Bypass Authentication and Exfiltrate Data and the BlackHat presentation by Dirk-jan Mollema titled Advanced Active Directory to Entra ID Lateral Movement Techniques, attackers with control of Domain Controllers can add arbitrary keys to the OnPremAuthenticationFlowPolicy and authenticate successfully as any Entra ID account. While Microsoft has since fixed some aspects of the vulnerability, some issues still remain.

For me, this reinforces my belief that the Active Directory to Entra ID hybrid mode cannot be properly secured and should only be used during transition to the cloud.

Hybrid Mode Security

For those who use hybrid mode in any configuration, here is a checklist to make the hybrid mode more secure.

Improving Security of Active Directory

Active Directory (AD) is the weakest point in the hybrid mode design. This is due to several factors:

  • AD defaults have been set by Microsoft to prioritise compatibility over security
  • Organisations have not changed the defaults to more secure settings by following plentiful guidance from Microsoft and CISA
  • Organisations have not managed Active Directory as a Tier-0 (most security-critical) system using Privileged Access Management tools and/or Privileged Access Workstations
  • Active Directory, in its default setup, does NOT support any form of multi-factor authentication. At best, since Active Directory Server 2016, you can configure smart card authentication, but that requires additional setup and investment. Thinking of FIDO2 Passkeys? Keep dreaming.

I am not going to write an extensive checklist on how to secure Active Directory; many have been written already by Microsoft, US CISA, US NIST, etc. (links in the references section).

Improving Security of the Hybrid-Mode Connection

I recommend these configuration and operational practices that greatly improve hybrid-mode setup:

  1. Set up an Azure Sentinel query and monitor for positive results:

AuditLogs | where InitiatedBy.user.displayName == "Office 365 Exchange Online"
1. Set up Entra ID Connect to enforce “hard matching” of accounts using immutable object properties, such as ObjectGUID. Avoid matching by email or UPN. 1. Monitor for orphaned accounts and regularly audit the Entra ID Sync configuration for any changes. 1. Enforce the “Least Privilege Principle” for the Entra ID Connect setup (see next section for details)

Least Privilege Principle in Entra ID Connect Setup

One of the most important principles in cybersecurity is “Least Privilege” - essentially, only required privileges to operate a function must be given, and those not required must be revoked.

In the Entra ID Connect setup, there are two account objects with privileges:

  1. An account in on-premises Active Directory that reads the directory data, and if password writeback is configured, also changes users’ passwords
  2. An account principal in Entra ID that manages user accounts in Entra ID

Neither of these accounts needs full Admin privileges. Unfortunately, some teams follow the path of least resistance and hastily configure accounts with Domain Admin and Global Administrator privileges for Active Directory and Entra ID respectively. This introduces a serious security vulnerability and hugely expands the attack surface.

On-Premises Active Directory Account:

  • Replicating Directory Changes (for reading user/group objects)
  • Replicating Directory Changes All (for password hash sync, if enabled)
  • Read permissions on user, group, and computer objects
  • Read permissions on specific attributes being synchronised
  • Only grant permissions to the OUs that contain objects you need to sync to Entra ID
  • Don’t use Domain Admin, Enterprise Admin, or Schema Administrator!

Azure AD/Entra ID Account:

  • Directory Synchronization Accounts role (built-in role specifically for sync)
  • DO NOT use Global Administrator role, which sadly is a common misconfiguration!

Dedicated Exchange Hybrid Entra ID Application

If your organisation still uses Exchange hybrid mode - some mailbox accounts on Exchange on-premises server and some on Exchange Online - then you should set up a dedicated Entra ID Application now, as Microsoft is planning to enforce the separation by October 2025.

More information from Microsoft: Deploy a dedicated Microsoft Entra application for Exchange hybrid

Conclusion

The recent BlackHat vulnerability disclosure serves as another stark reminder that hybrid Active Directory environments present significant security risks. While these mitigations can improve your security posture, they are ultimately band-aid solutions to fundamental architectural problems. As such I strikingly advise to move fully to the Cloud first architectures and leave on-premises Active Directory standalone, to be decommissioned as soon as possible.

Until that migration is complete, implementing the security measures I mention above and in the references is crucial to reducing your organisation’s attack surface.

References