Hybrid Identity
Last updated
Last updated
Organizations have resources, devices and applications both on-premises and in the cloud. Many enterprises se their on-prem AD identities to access Azure applications to avoid managing separate identities on both.
A single user identity for authentication and authorization to all resources, regardless of location is a hybrid identity
An on-premises AD can be integrated with Entra ID using Entra Connect with the following methods. Every method supports Single Sign-on (SSO):
Password Hash Sync (PHS)
Pass-Through Authentication (PTA)
Federation
It syncs users and a hash of their password hashes (not clear-text or original hashes) for on-prem AD to Entra ID. This is the simplest and most popular method for getting a hybrid identity.
By default, password expiry and account expiry are not reflected in Entra ID. That means a user whose on-prem password is expired, can continue to access Azure resources using the old password.
For on-prem an account with the name MSOL_<installationID>is automatically created. This account has replication (DCSync) permissions in the on-prem AD.
Enumerate MSOL users:
Once the Entra connect server is compromised. Use the below commands from the AADInternals module. Extract credentials of the MSOL_* and Sync_* accounts in clear text:
Using the creds of MSOL_* account, we can run DCSync against the on- prem AD:
Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory.
Install the PTA agent and collect credentials.
Entra Seamless SSO automatically signs users in when they are on-prem domain-joined machine. There is no need to use passwords to log in to Entra ID and on-prem application. On on-prem AD a user AZUREADSSOACCIs created. This account's Kebreros decryption key is shared with entra ID.
Password/key of the AZUREADSSOACC never changes
This means that if we can compromise the NTLM hash of the machine account, we can create silver tickets for any synced on-prem user.
First get NTLM hash
We just need the userPrincipalName and SID of the user to create the Silver ticket that can be used from any machine connected to the internet.
Create silver ticket:
In case of federationa trust is established between unrelated parties like on-premise AD and Entra ID. Users can access cloud applications by using their on-prem credentials.
AD FS is a claimed-based identity model. Claims are simply statements (for example name, identity, groupp), made about users that are used primarily for authorizing access to claim-based applications located anywhere on the internet.
A user is identified by ImmutableID. It is globally unique and stored in Entra ID. The ImmuatbleID is stored on-prem as ms-DS-ConsistencyGuidfor the user and/or can be derived from the GUID of the user
In ADFS, A SAML response is signed by a token-signing certificate. If the certificate is compromised, it is possible to authenticate to the Entra ID as ANY user in Entra ID. The certificate can be extracted from the AD FS server with Domain Admin privileges and then can be used from the internet connectd machine.
If we compromise a server with the authentication agent running, we can get the credentials for users in plain-text. We will first need to upload AADInternals.zip . Next, unzip it and run :
