SyncJacking exposes a hybrid identity trust gap in Entra ID

At a glance

What this is: This research explains how SyncJacking abuses Entra Connect hard matching to remap synchronized accounts and take over Entra ID identities.

Why it matters: It matters because hybrid identity links Active Directory and Entra ID, so a flaw in matching logic can become a privileged NHI governance failure.

👉 Read Semperis' analysis of SyncJacking and Entra ID account takeover

Context

SyncJacking is a hybrid identity takeover technique that abuses account matching between on-premises Active Directory and Entra ID. For IAM teams, the issue is not just synchronization itself, but the trust granted to object matching, source-anchor updates, and password synchronization in environments that now govern both human and non-human identities.

The article is framed by Microsoft Security Response Center confirmation of the underlying vulnerability and by Microsoft’s planned enforcement changes in March 2026. That timing matters for practitioners because it turns a research finding into a governance deadline, and the starting position described here is typical of hybrid environments that treat identity synchronization as plumbing rather than a control surface.

Key questions

Q: How should security teams govern synchronized Entra ID accounts?

A: Security teams should treat synchronized Entra ID accounts as high-risk identities with separate ownership, tight delegation, and continuous review. The key control is not just authentication, but limiting who can alter matching attributes, who can delete synchronized objects, and who can approve sync-related changes. If those controls are weak, a directory integration problem becomes a cloud takeover path.

Q: Why does hybrid identity create extra NHI governance risk?

A: Hybrid identity creates extra NHI governance risk because it joins two trust domains that often have different logging, privilege models, and change controls. When synchronization can move authority from one side to the other, an attacker may use a lower-visibility path to control a higher-value identity. That is why sync infrastructure must be governed as a critical control surface.

Q: What is the difference between hard matching and soft matching in identity sync?

A: Hard matching relies on stable source-anchor attributes to link identities across directories, while soft matching uses more flexible attributes such as the UPN or mail-related fields. Hard matching is more deterministic, but if attackers can alter the matching attributes, it can also become a takeover mechanism. Teams should govern both as security-sensitive identity logic, not just directory plumbing.

Q: When should organisations apply extra controls to Entra Connect?

A: Organisations should apply extra controls whenever Entra Connect is used to synchronize privileged users, shared admin accounts, or any identity that can affect cloud access at scale. Extra controls are also warranted when on-premises delegation is broad or logging is incomplete. In those conditions, MFA, remap monitoring, and least-privilege administration are baseline requirements.

Technical breakdown

How hard matching in Entra Connect becomes an account takeover path

Hard matching links an on-premises Active Directory object to an Entra ID object using a source anchor such as objectGUID or mS-DS-ConsistencyGuid. In a normal sync flow, that mapping preserves object continuity across directories. The attack works when a user who can modify an unsynchronized on-prem object changes attributes so the object is matched to a privileged synchronized cloud identity, then removes the original object and waits for sync. Because Entra Connect treats the mapping as authoritative, the cloud account inherits the attacker-controlled object state.

Practical implication: Treat source-anchor integrity as a privileged control, not a directory convenience.

Why password hash synchronization expands the blast radius

Password hash synchronization copies the on-premises password hash into Entra ID on a short interval, which means the cloud identity can authenticate with the compromised on-prem credential set. Once an attacker remaps a synchronized account, the password and selected attributes can follow that remap during the next sync cycle. That makes identity takeover durable, not merely symbolic, because the attacker does not need to maintain a separate cloud foothold. The failure is architectural: the trust bridge between directories is also a privilege bridge.

Practical implication: Segment synchronization rights from administrative rights wherever hybrid identity is in use.

Why hardening guidance alone does not close every remapping risk

Microsoft’s updated guidance addresses unauthorized account remapping, but the research shows that mitigation is not just a toggle. If a control depends on the same synchronization workflow that is being abused, it may reduce exposure without eliminating the underlying trust problem. Hybrid identity therefore needs layered controls: MFA, tight delegation, sync-scoped administrative boundaries, and logging that can detect changes to matching attributes even when native logs are sparse.

Practical implication: Design for detection and containment, not only for preventative configuration changes.

Threat narrative

Attacker objective: The attacker’s objective is to seize a synchronized Entra ID account, including privileged roles such as Active Global Administrator.

1. Entry via Write-all-Properties or GenericWrite on an unsynchronized on-premises account, paired with Delete permission on a synchronized account.
2. Escalation by copying the privileged account’s matching attributes onto an attacker-controlled object so Entra Connect remaps the identity.
3. Impact when synchronization overwrites the cloud identity and the attacker inherits the synchronized account’s role and access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Hybrid identity synchronization is now an identity attack surface, not a background integration detail. Once a trust bridge can remap authority between directories, the bridge itself becomes a privilege boundary that must be governed like PAM or federation. That means source-anchor handling, sync delegation, and remediation windows belong in security design reviews, not only in directory operations. Practitioners should classify sync infrastructure as security-critical control plane.

Source-anchor manipulation creates an identity blast radius that conventional logging underestimates. The article’s key operational point is that on-prem traces can be absent while cloud traces remain minimal, which makes post-event reconstruction weak. In NHI governance terms, that is a visibility failure, because an identity can change ownership without producing the audit depth teams expect. Practitioners should assume that low-log remapping paths deserve compensating controls and independent monitoring.

Privileged hybrid accounts must be treated as high-value NHI assets. A synchronized Global Administrator is not just a user account, it is an identity with both directory lineage and cloud authority. If lifecycle, sync, and privilege assignment are managed separately, the organisation creates an exploit path where one change in the source directory cascades into cloud control. Practitioners should review every synchronized privileged account as part of NHI and PAM governance.

Hardening is necessary, but governance must outlast the fix. Microsoft’s platform hardening changes the attack surface, yet the underlying lesson remains: synchronization should never be assumed safe simply because it is default or vendor-managed. Control owners need a continuous review model for matching rules, delegated rights, and MFA coverage across synced populations. Practitioners should plan for ongoing assurance, not one-time remediation.

Identity remapping belongs in the same risk category as secret compromise when it enables persistence. The practical effect is similar to credential theft: an attacker acquires durable access through a control plane that was meant to improve consistency. That makes this a governance problem for IAM, NHI, and incident response teams alike. Practitioners should map sync abuse into their privileged access and detection programmes.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• For teams dealing with remapping risk, the next step is lifecycle control. NHI Lifecycle Management Guide explains how provisioning, rotation, and offboarding reduce identity exposure.

What this signals

Identity remapping is becoming a governance test for hybrid enterprises. The issue is not whether synchronization can be made to work, but whether the organisation can prove who can change authority, who can delete a synchronized object, and how quickly those changes are detected. That is why sync-based takeover paths belong in the same programme discussion as PAM and federation assurance. Teams should expect auditors to ask for evidence of control ownership, not just configuration screenshots.

The confidence gap around NHI security suggests this kind of attack will continue to outpace manual review. Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security, and hybrid identity compounds that problem by hiding risk inside trusted automation. For practitioners, the signal is clear: build identity remap detection into continuous control monitoring before the next platform change lands.

Source-anchor governance should be part of your lifecycle programme. If an attacker can alter the attributes that bind an on-prem object to a cloud identity, then provisioning and offboarding are not enough. Teams should map those bindings into the NHI Lifecycle Management Guide approach and use that lifecycle view to harden sync administration, remediation, and access review.

For practitioners

• Review synchronized privileged accounts first Inventory every Entra ID account whose authority depends on Active Directory synchronization, then separate those identities from routine administration paths. Pay special attention to accounts with role assignments, delegated OU management, or eligibility for elevated access.
• Restrict attributes that drive object matching Limit who can change source-anchor related properties such as mS-DS-ConsistencyGuid and userPrincipalName on accounts that can be synchronized. Make those changes visible in change review and pair them with alerting on remap patterns.
• Enforce MFA across synced populations Apply MFA to all synced users, not only administrators, because the attack path can inherit identity state from a lower-privilege on-premises object. Use this as a compensating control while you harden sync governance and logging.
• Validate Entra Connect version and hardening status Confirm that all tenants run supported Entra Connect versions and that Microsoft’s account-remapping protections are actually enforced in each environment. Do not assume a vendor advisory has been operationalized until you verify tenant configuration and sync behavior.
• Add detection for remap-style log sequences Correlate password changes, user updates, and display name changes around synchronized identities, especially when the target UPN remains constant. That pattern can reveal an attempted takeover even when on-premises logs are thin.

Key takeaways

• SyncJacking shows that identity synchronization can function as a privilege escalation path, not just an integration mechanism.
• The abuse is dangerous because it can remap a synchronized account with minimal trace and inherit cloud authority.
• Hybrid identity programmes need lifecycle, MFA, and remap monitoring controls that treat source anchors as security-critical data.

Key terms

• Hard Matching: Hard matching is the process of binding an on-premises identity object to a cloud identity using a stable source anchor. In hybrid identity environments, it preserves continuity across directories, but if the matching attributes can be changed by an attacker, it can also be abused to transfer authority between identities.
• Source Anchor: A source anchor is the attribute that tells a sync engine which on-premises object corresponds to a cloud object. It is meant to keep identities stable across systems, but it becomes security-critical when account takeover depends on changing the value or copying it onto another object.
• Password Hash Synchronization: Password hash synchronization copies a password hash from an on-premises directory into the cloud identity system. It simplifies authentication in hybrid environments, but it also expands the blast radius of a compromised source account because the synced cloud identity can inherit the same credential state.
• Identity Remapping: Identity remapping is the reassignment of one identity’s cloud authority to another object through synchronization logic. In practice, it can let an attacker cause a trusted cloud account to follow attacker-controlled directory state, which is why remap controls belong in privileged access governance.

Deepen your knowledge

SyncJacking, source-anchor governance, and hybrid identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you manage synchronized identities or privileged cloud accounts, it is worth exploring.

This post draws on content published by Semperis: SyncJacking: Hard Matching Vulnerability Enables Entra ID Account Takeover. Read the original.