The sync account that bridges both worlds
Entra Connect synchronizes on-prem AD to the cloud using a highly privileged account on both sides. Compromise it and an attacker pivots between your directory and your tenant. Here is the risk, and the fix.
The server that quietly keeps two directories in step is also the single host that can betray both.
What it is
Entra Connect (formerly Azure AD Connect) synchronizes identities between on-prem Active Directory and Entra ID, using accounts with broad rights on both sides: a directory-synchronization account in the cloud and a privileged account on-prem (often capable of replicating directory changes, like DCSync). An attacker who compromises the Connect server extracts these credentials and gains a bridge between the two directories, reading or changing identities on either side. This is T1078 (valid accounts) with T1556 (modify authentication process).
Why it works
The sync account is necessarily powerful, and the Connect server is sometimes not treated as Tier 0, so it becomes a single high-value pivot between on-prem and cloud.
How to detect it
Look for unusual activity from the sync account, directory replication from the Connect server, and configuration or password-hash-sync changes. Watch the Connect server like a domain controller.
The fix that holds
Treat the Entra Connect server and its accounts as Tier 0, restrict and monitor the sync account, apply Microsoft’s hardening (least-privilege sync, disable unneeded write-back), and alert on directory-sync anomalies.
Practice it
We built an Entra Connect compromise scenario in GraphLattice Range so teams learn to defend the hybrid bridge and detect a pivot across it.