Architecture

What is password hash synchronization with Microsoft Entra ID? - Microsoft Entra IDMicrosoftLearn

Password Hash Syncronization:

All password hashes between on-prem AD and Entra ID are sync'd via DCSync.
All on-prem users can access Entra ID resources (Teams, M365, Sharepoint, etc).
- Easy to pivot from on-prem because all user are available. MSOL account is a juicy target because it's used to sync passwords.

Pass Through Authentication:

PTA agent is used to authenticate against an on-prem server. Password hashes are not sync'd.
Agents can be modified or new ones can be installed from attacker perspective.

ADFS:

On-prem AD is in charge of authentication to the cloud.
- CAPs do not apply to ADFS logins.

Azure Lighthouse:

Used by MS(S)Ps to manage multiple environments at once.
- IR wants to understand how the client was onboarded (subscription or resource group level).
  - Where are password hashes stored?

Microsoft Cloud Solution Provider Monitoring

A cloud solution provider is a participant in Microsoft's partner program; as such, cloud solution providers must provide support to their downstream customers, requiring the former to have access to the latter's Entra tenant. To facilitate this cross-tenant access, cloud solution providers commonly use delegated administrative privileges (DAP) or the newer granular delegated administrative privileges (GDAP).

PreviousRoles NextConditional Access

Last updated 5 months ago