SyncJacked - Hijacking Identities Through Entra Connect Synchronization

Tomer Nahum

fwd:cloudsec Europe 2025 · Day 1 · Main Room

Tomer Nahum, a security researcher at Semperis, presented two identity takeover vulnerabilities in **Microsoft Entra Connect** — the synchronization engine that bridges on-premises Active Directory with Entra ID (formerly Azure AD). The first vulnerability abuses the **soft matching** mechanism to hijack cloud-only accounts with eligible privileged roles. The second, dubbed **SyncJacked**, exploits the **hard matching** mechanism to take over already-synced accounts with active privileged roles. Both attacks allow an attacker with relatively modest on-premises AD permissions to escalate to Global Administrator in Entra ID by manipulating the identity synchronization process. The SyncJacked vulnerability was confirmed by MSRC as an important privilege escalation vulnerability in 2025, after being initially dismissed as "by design" in 2022.

AI review

Nahum presents two real, confirmed privilege escalation vulnerabilities in Entra Connect's identity matching mechanisms that escalate from modest on-premises AD permissions to Entra ID Global Administrator. SyncJacked in particular is elegant — abusing a mechanism that cannot be disabled to take over already-synced privileged accounts with minimal forensic traces. The MSRC confirmation as an important-severity vulnerability validates the finding's significance.

Watch on YouTube