Azure AD / Entra ID

An on-premises AD can be integrated with Azure AD using Azure AD Connect with the following methods:

• Password Hash Sync (PHS)

• Pass-Through Authentication (PTA)

• Federation

AD FS

Azure AD Connect is installed on-premises and has a high privilege account both in on AD and Azure AD

PHS

What is password hash synchronization with Microsoft Entra ID? - Microsoft Entra IDMicrosoftLearn

Password Hash Sync (PHS) shares users and their password hashes from on-premises AD to Azure AD.

A new users MSOL_ is created which has Synchronization rights (DCSync) on the domain

MSOL (Microsoft Online Services) account

SeamlessPass

Obtain Microsoft 365 access tokens using on-premises Active Directory Kerberos tickets for organizations with Seamless SSO (Desktop SSO) enabled

GitHub - Malcrove/SeamlessPass: A tool leveraging Kerberos tickets to get Microsoft 365 access tokens using Seamless SSOGitHub

BAADTokenBroker

Leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.

GitHub - secureworks/BAADTokenBrokerGitHub

GraphRunner

GitHub - dafthack/GraphRunner: A Post-exploitation Toolset for Interacting with the Microsoft Graph APIGitHub

Resources

Weaponization of Token Theft – A Red Team PerspectiveTrustedSec

Microsoft Entra ID Role actions, permissions (Azure Active Directory Role actions, permissions)

Azure