Architecture
Password Hash Syncronization:
All password hashes between on-prem AD and Entra ID are sync'd via DCSync.
All on-prem users can access Entra ID resources (Teams, M365, Sharepoint, etc).
Easy to pivot from on-prem because all user are available. MSOL account is a juicy target because it's used to sync passwords.

Pass Through Authentication:
PTA agent is used to authenticate against an on-prem server. Password hashes are not sync'd.
Agents can be modified or new ones can be installed from attacker perspective.

ADFS:
On-prem AD is in charge of authentication to the cloud.
CAPs do not apply to ADFS logins.

Azure Lighthouse:
Used by MS(S)Ps to manage multiple environments at once.
IR wants to understand how the client was onboarded (subscription or resource group level).
Where are password hashes stored?
Last updated