Most enterprise AD environments in 2026 are hybrid — on-premises AD synced with Microsoft Entra ID (formerly Azure AD) via Entra Connect. This gives users single-identity access to both M365 and on-prem resources. It also creates cross-cloud compromise paths that didn’t exist in pure on-prem AD. This module covers why hybrid AD attack surface is larger than the sum of its parts.

Why hybrid AD is risky

Two directory services, one identity. Entra Connect (formerly Azure AD Connect) synchronizes users, groups, passwords (hashed), and sometimes device objects. The sync creates trust relationships between on-prem and cloud that didn’t exist before.

Key paths:

On-prem compromise → Entra Connect server → cloud identity compromise
Cloud admin compromise → Azure AD Sync Service → on-prem AD write
Password Hash Sync (PHS) puts on-prem NT hashes in the cloud
Pass-Through Authentication (PTA) agents extend cloud auth to on-prem
Seamless SSO uses a hardcoded AD computer account — attack vector

The Entra Connect server — crown jewel

The server running Entra Connect has, by default:

DCSync rights on all domain controllers (to read password hashes for sync)
Cloud admin equivalent in the synced tenant (for sync operations)
Privileged service account whose credentials are in a config file
Azure AD tenant connection using application secrets

Compromise of Entra Connect = compromise of both environments. Treat it as Tier 0.

# Extract Entra Connect sync account credentials
# From Entra Connect server (admin access needed):
mimikatz # lsadump::dcsync /user:MSOL_
# MSOL_ account has sync service DCSync rights

# Or extract from config file
# C:\Program Files\Microsoft Azure AD Sync\Data\
# Contains encrypted sync credentials; decrypt with DPAPI

# AADInternals (PowerShell) toolkit for Entra attacks
Install-Module AADInternals
Get-AADIntSyncCredentials   # From Entra Connect server
Set-AADIntUserPassword      # Change any user's password in cloud
Get-AADIntADSyncEncryptionKeyInfo

Password Hash Sync (PHS) attacks

PHS computes a hash-of-hash of the user’s NT hash and syncs it to Entra ID. Cloud authentication uses this material.

Attack vectors:

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

9 more sections locked below

Module 9 · Hybrid AD — On-Prem Meets Cloud 🔒

Why hybrid AD is risky

The Entra Connect server — crown jewel

Password Hash Sync (PHS) attacks

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 2 · AD Enumeration — Seeing Everything <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 5 · Group Policy Preferences — The Gift That Keeps Giving <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 7 · Trusts — Legacy Merger Paths <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>