Almost every company now runs hybrid identity: the on-premises Active Directory forest is synchronized with Microsoft 365 and Azure through Microsoft Entra ID (formerly Azure AD). This bridge gives employees single-sign-on convenience, but for an attacker the same bridge is the shortest path from the internal network to a cloud empire. This article is the theory behind the DSET Red Team Lab Part III, Hybrid Cloud scenario: it walks step by step through how an attacker pivots from on-prem Domain Admin and takes over an entire Microsoft Entra ID tenant with Golden SAML. Every technique is mapped to MITRE ATT&CK, and every technique is paired with its defense.

Quick Answer

Hybrid cloud attacks target the trust bridge between on-premises Active Directory and Microsoft 365 and Azure. An attacker typically follows this chain: first they steal the synchronization credentials from the Azure AD Connect server, then they forge a Silver Ticket using the Seamless SSO account AZUREADSSOACC$, then they take over an over-privileged service principal or OAuth application to become Global Administrator, and finally they steal the token signing key and impersonate any user with Golden SAML. The result is persistent tenant control that bypasses multi-factor authentication (MFA) and survives password resets. Defense relies on privileged access workstations, Conditional Access policies, rotating the token signing certificate, and continuous monitoring of identity logs.

How hybrid identity works

The component that synchronizes Microsoft Entra ID with on-premises Active Directory is the Azure AD Connect server. It copies users and groups to the cloud and uses one of three authentication models:

  • Password Hash Sync (PHS): a hash of the password hash is synced to the cloud, where authentication happens.
  • Pass-through Authentication (PTA): password validation happens through an on-prem agent.
  • Federation (ADFS): authentication is delegated entirely to an on-prem ADFS server, and the cloud trusts the SAML tokens ADFS signs.

Alongside these, Seamless SSO lets users on domain-joined devices reach the cloud without typing a password. When Seamless SSO is enabled, a computer account named AZUREADSSOACC$ is created in Active Directory. The password hash of this account is the key to the entire hybrid SSO trust, and it is the target at the heart of the attack.

The essence of the attack surface is this: each component of this trust bridge (the Azure AD Connect sync account, AZUREADSSOACC$, the ADFS token signing certificate) is enough on its own, once compromised, to impersonate the entire cloud identity.

The attack chain, step by step

The table below summarizes the full hybrid tenant takeover chain, the tools used, the MITRE ATT&CK techniques, and the defense for each step.

Stage Technique Typical Tool MITRE ATT&CK Defense
1. Recon Hybrid surface mapping AADInternals, ROADrecon, AzureHound T1526 Cloud Service Discovery Monitor identity logs, detect abnormal enumeration
2. Credential theft Azure AD Connect sync password AADInternals Get-AADIntSyncCredentials T1552 Unsecured Credentials Treat AAD Connect server as a Tier 0 asset
3. SSO abuse Seamless SSO Silver Ticket AADInternals, Mimikatz T1558.002 Silver Ticket Rotate the AZUREADSSOACC$ password regularly
4. Privilege escalation Service principal / OAuth abuse Microsoft Graph, AzureHound T1098 Account Manipulation Audit application permissions and role assignments
5. Persistence Golden SAML federation backdoor AADInternals ConvertTo-AADIntBackdoor T1606.002 Golden SAML Rotate the token signing certificate, monitor ACS endpoints

1. Hybrid recon

While the attacker holds Domain Admin, they first map the bridge between cloud and on-prem. The goal is to find the Azure AD Connect server, learn the federation model, and see which accounts are over-privileged. With AADInternals, the Get-AADIntLoginInformation command reveals whether a tenant is federated or managed from the outside, even without authentication. AzureHound and ROADrecon bring BloodHound logic to the cloud and graphically answer the question of the shortest path from a low-privileged account to Global Admin. This stage is the cloud counterpart of on-prem Active Directory recon and BloodHound.

2. Azure AD Connect credential theft

The Azure AD Connect server locally stores two high-value accounts for synchronization: an on-prem sync account (usually with the MSOL_ prefix) and the cloud-side Directory Synchronization Account. These credentials are kept encrypted in the server configuration database, but the encryption key is on the same server. Once the attacker is a local administrator on the server, AADInternals Get-AADIntSyncCredentials extracts both passwords in clear text. The on-prem sync account has DCSync rights by default, meaning it can pull every domain password hash. The cloud sync account has broad write rights in the directory. This is why the Azure AD Connect server is a Tier 0 asset as critical as a Domain Controller, and it must be protected accordingly.

3. Seamless SSO Silver Ticket

If Seamless SSO is in use, the attacker pulls the NT password hash of the AZUREADSSOACC$ account with DCSync. With that hash, forging a Kerberos Silver Ticket becomes possible: AADInternals New-AADIntKerberosTicket prepares a valid cloud sign-on ticket for any user, without ever knowing that user's password. The dangerous part of the Silver Ticket approach is that it can be produced entirely on-prem, without ever touching a Domain Controller, and it looks like a normal SSO login on the cloud side. Because the AZUREADSSOACC$ password does not rotate automatically, this account's hash can stay valid for years, making it a long-lived and silent persistence tool.

4. Service principal and OAuth abuse, escalation to Global Admin

The most modern path to privilege escalation in the cloud is not user accounts but service principals and OAuth applications. In many tenants, due to legacy integrations, an application has been granted dangerous Microsoft Graph permissions like RoleManagement.ReadWrite.Directory or AppRoleAssignment.ReadWrite.All. An attacker who takes over a service principal with these permissions can assign the Global Administrator role to themselves or a controlled account, or add a new client secret to the application for persistent access. This technique completely bypasses human users' MFA, because service principals are usually not subject to MFA. That is why regular auditing of application permissions and role assignments is one of the most critical parts of modern cloud defense.

5. Golden SAML, the ultimate persistence

Once the attacker is Global Admin or has obtained the private key of the ADFS token signing certificate, the rules of the game change. In the Golden SAML technique, the attacker steals the federation token signing key and uses it to produce valid signed SAML tokens for any user with any privileges. AADInternals ConvertTo-AADIntBackdoor and New-AADIntSAMLToken automate this. The destructiveness of Golden SAML lies here: because the cloud accepts the token as signed and valid, MFA is not requested, password changes are ineffective, and even if the account is disabled the attacker can keep logging in. Persistence is broken only when the token signing certificate is rotated. This technique was used in the real world during the 2020 SolarWinds (UNC2452) incident, which put Golden SAML on the agenda of the entire security world.

Blue team: how to defend

Hybrid identity attacks look frightening, but the defense is clear and largely about configuration discipline:

  • Extend the Tier 0 boundary to the cloud. Protect the Azure AD Connect server, ADFS servers, and sync accounts with the same criticality as a Domain Controller, and connect to them only from privileged access workstations (PAW).
  • Rotate the AZUREADSSOACC$ password. Microsoft recommends rotating this account's password regularly; by default it does not change.
  • Enforce Conditional Access. Require device compliance and strong MFA for admin roles, and disable legacy authentication protocols.
  • Audit application permissions. Periodically scan for service principals with high-risk Graph permissions like RoleManagement.ReadWrite.Directory and remove unnecessary ones.
  • Rotate and monitor the token signing certificate. Regularly renew the ADFS token signing certificate, and watch Microsoft Entra sign-in logs for unusual SAML token usage and new federation trusts.
  • Stream identity logs to a SIEM. Connect Microsoft Entra ID sign-in and audit logs to central monitoring, and alert on abnormal service principal activity and risky sign-ins.

These controls also form the foundation of DSET's enterprise cybersecurity services: model the attack by thinking like an attacker, and build the defense accordingly.

For those who want hands-on practice

If you want to try these techniques with your own hands in a safe, fully simulated environment, the DSET Red Team Lab Part III, Hybrid Cloud, Azure / Entra ID scenario teaches exactly this chain. You type real tool commands into a terminal in your browser, get realistic output, improve your method with graduated hints, and earn a verifiable certificate at the end. Everything is against a fictional target; no real systems are touched. These skills must only be used on systems you are explicitly authorized to test; unauthorized access is a crime.

Frequently Asked Questions

Is Golden SAML the same as Golden Ticket? No. A Golden Ticket forges fake Kerberos tickets with the hash of the krbtgt account in on-prem Active Directory. Golden SAML forges fake SAML tokens with the token signing key of cloud federation. Both share the "steal the key, impersonate any identity" logic, but they work on different protocols and at different layers.

Does MFA stop these attacks? Not on its own. Golden SAML and service principal abuse bypass MFA entirely, because the token is already validly signed or service principals are not subject to MFA. MFA is necessary, but full protection comes only together with Conditional Access, privileged access workstations, and key rotation.

Why is the Azure AD Connect server so critical? Because it keeps the sync accounts and encryption keys between on-prem and the cloud in one place. The on-prem sync account can do DCSync by default, and the cloud account has broad directory rights. An attacker who takes over this server threatens both on-prem and cloud identity, which is why it must be protected like a Domain Controller.

Do these techniques apply to our company too? If you use Microsoft 365 or Azure and synchronize with on-prem Active Directory, most likely yes. Seamless SSO, Azure AD Connect, and federation are very common. What matters is that these components are correctly configured, monitored, and regularly audited.

What is the best way to detect the attack? Streaming Microsoft Entra ID sign-in and audit logs to a central SIEM and setting alerts for unusual SAML token usage, new federation trusts, new credentials added to a service principal, and risky sign-ins is the most effective approach. Golden SAML is usually spotted after the fact, from abnormal token lifetimes and signing sources.

References

DSET Information and Cyber Security (founded 2003). For enterprise penetration testing, hybrid cloud security, and Microsoft 365 hardening consulting, reach us at +90 536 662 38 09.