Architecture
Password Hash Syncronization:
All password hashes between on-prem AD and Entra ID are sync'd via DCSync.
All on-prem users can access Entra ID resources (Teams, M365, Sharepoint, etc).
Easy to pivot from on-prem because all user are available. MSOL account is a juicy target because it's used to sync passwords.
Pass Through Authentication:
PTA agent is used to authenticate against an on-prem server. Password hashes are not sync'd.
Agents can be modified or new ones can be installed from attacker perspective.
ADFS:
On-prem AD is in charge of authentication to the cloud.
CAPs do not apply to ADFS logins.
Azure Lighthouse:
Used by MS(S)Ps to manage multiple environments at once.
IR wants to understand how the client was onboarded (subscription or resource group level).
Where are password hashes stored?
Microsoft Cloud Solution Provider Monitoring
A cloud solution provider is a participant in Microsoft's partner program; as such, cloud solution providers must provide support to their downstream customers, requiring the former to have access to the latter's Entra tenant. To facilitate this cross-tenant access, cloud solution providers commonly use delegated administrative privileges (DAP) or the newer granular delegated administrative privileges (GDAP).
Last updated