Azure Active Directory is frequently discussed and regarded as more secure. However, what precisely constitutes security and in what aspects is it safer? Nowadays, many companies have adopted a hybrid Azure Active Directory setup. Therefore, what exactly is a hybrid Azure Active Directory, and in what ways does it enhance security, or conversely, what security challenges does it present? Is it possible to compromise an Azure Active Directory through an on-premises directory compromise? This was the question I posed to myself during my internship at the Security Factory.
Consequently, I embarked on investigating this query. There are three distinct hybrid setups: Pass-through Authentication, Password Hash Synchronization, and Active Directory Federation Services. Research has been conducted to delineate the advantages and risks associated with each. In addition to the pros and cons of the different setups, detailed investigations have been conducted on the functioning of these setups. Finally, a proof of concept demonstrating the danger and execution of a Hybrid Azure Active Directory compromise in the Event of an On-Premises Active Directory Compromise is provided for each setup. All findings have been documented in the paper provided below.
A small teaser that can be provided about the paper is that in all cases, it is possible to compromise Azure active directory in the event of an on-premises Active Directory compromise. When setting up a hybrid setup, this is accomplished by using the Azure Active Directory Connect tool. This tool plays a crucial role in compromising the hybrid setup. If the server on which the tool is installed is compromised, a vertical privilege escalation to the Azure Active Directory can occur. In the case of a “Password Hash Synchronization” setup, the accompanying accounts can be compromised, with these accounts holding significant roles in both the Azure and on-premises environments. In the case of a pass-through authentication setup, the agents can be compromised to gain control over the logins taking place for the synchronized accounts.
Given the conclusion that compromising Azure Active Directory is possible in the event of an on-premises Active Directory compromise, it does not imply that a hybrid setup is inherently insecure. However, it does underscore the importance of being aware of the risks associated with a hybrid setup. Several key considerations to mitigate the risk of compromise include being mindful of where the Azure Active Directory tool is installed. Microsoft itself recommends treating it as if it were a domain controller. This entails restricting the number of users with local administrative privileges on the server, controlling physical access to the server, and limiting accounts that can log in interactively. Additionally, it is crucial to assess which users require global administrator rights in Azure AD, and exercise caution when synchronizing these high-privilege users with the on-premises Active Directory. By attending to these factors, the likelihood of compromise is reduced, though not eliminated entirely. Additionally, it is crucial to assess which users require global administrator rights in Azure AD, and exercise caution when synchronizing these high-privilege users with the on-premises Active Directory. By attending to these factors, the likelihood of compromise is reduced, though not eliminated entirely.
Now that you have been provided with some teasers and may be eagerly anticipating a proof of concept of the compromises, as well as an exploration of the theoretical underpinnings of these setup possibilities, the detailed paper can be downloaded for free. The paper delves deeper into the password hash synchronization methods and pass-through authentication methods, as these approaches are commonly encountered in corporate environments. These are not only the most interesting setups but also the simpler ones for most businesses. Enjoy reading!
Download the paper
Potential Security Risks of a Hybrid Azure Active Directory Setup in the Event of an On-Premises Active Directory Compromise
