Hybrid AD environments — on-prem AD synchronized with Entra ID via Entra Connect, possibly federated through ADFS — combine the attack surfaces of both. Attackers move between on-prem and cloud planes via the connection points: Entra Connect server, ADFS, seamless SSO computer object, password hash sync. This module covers the hybrid attack patterns and the controls that limit lateral pivot in 2026.

The hybrid identity architectures

Cloud-only — accounts native in Entra ID; no on-prem AD. Increasingly common for new orgs
Synchronized identity — Entra Connect syncs user objects + password hash to Entra ID. Single identity used both
Federated identity — sign-in delegated from Entra ID to on-prem ADFS; ADFS authenticates against AD
Pass-through authentication (PTA) — Entra ID forwards auth requests to lightweight agents on-prem that validate against AD

Each model has distinct compromise paths.

Entra Connect server — the crown jewel

The Entra Connect server has, by default:

DCSync rights on all domain controllers (to read password hashes)
Cloud admin equivalent in the synced tenant (via the configured Service Account for sync)
Privileged service account stored in registry (DPAPI-encrypted)

Compromise of Entra Connect ≈ compromise of both AD and Entra ID. Treat as a Tier 0 asset:

Dedicated Server OS, hardened
Same-tier admin accounts only (don’t admin from a workstation)
Application allowlisting
Endpoint detection
Audit logging
Limited physical / network access

ADFS — the federation pivot

If using ADFS, additional concerns:

Token-signing certificate — issued tokens prove authenticated identity to Entra ID. Steal it, you can forge tokens for any user (Golden SAML attack — used by SolarWinds attackers)
ADFS server compromise — same as token-signing-cert compromise plus more
DKM (Distributed Key Manager) key — encrypts the token-signing cert; stored in AD; admins can read

Defenses:

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

6 more sections locked below

Module 7 · Hybrid AD & ADFS Attack Surface 🔒

The hybrid identity architectures

Entra Connect server — the crown jewel

ADFS — the federation pivot

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 2 · Kerberoasting in Practice <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 3 · BloodHound for Attack Paths <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 5 · Golden and Silver Tickets <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>