At last week’s Black Hat event in Las Vegas, Dirk-jan Mollema, hacker, security researcher, and founder of Outsider Security, outlined a set of techniques for bypassing authentication in hybrid Active Directory (AD) and Entra ID environments. If successfully executed, these methods can allow an attacker to impersonate any synced hybrid user, including privileged accounts.

In the intro for his presentation, Mollema wrote: “Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much ‘the cloud’ trusts data from on-premises. The reason for this is that many threat actors, including APTs (advanced persistent threats), have been making use of known lateral movement techniques to compromise the cloud from AD.”

Understanding the weaknesses in Active Directory and Entra ID

In one demonstration, Mollema showed how a low-privilege cloud account could be converted into a hybrid user, thereby granting him administrative rights without raising any alarms in the process. He also demonstrated how it’s possible to modify internal API policies and bypass access enforcement controls under certain conditions.

But the vulnerabilities don’t stop there. By taking advantage of hybrid configurations with Microsoft Exchange, the hacker can impersonate virtually any Exchange mailbox — ultimately giving them access to all of the emails, documents, and attachments within.

Microsoft has been aware of these flaws for some time. The company has issued patches to address some of the more serious vulnerabilities, such as strengthening security for global administrators and removing certain API permissions from synchronized accounts. However, the vulnerability won’t be fully solved until the separation of Microsoft’s hybrid Exchange and Entra ID services occurs in October 2025.

Protecting your Active Directory and Entra ID environments

In the meantime, Microsoft Exchange users can minimize their risk by implementing these security measures:

• Auditing any and all synchronization servers.
• Implementing hardware key storage.
• Monitoring any unusual API calls.
• Enabling hybrid application splitting within Microsoft Exchange.
• Rotating single sign-on (SSO) keys on a regular basis.
• Restricting users to only the necessary permissions.

Staying vigilant in the hybrid era

Hybrid environments are only as strong as their weakest link. Until Microsoft finalizes its service separation, the best defense against these AD and Entra ID vulnerabilities involves consistent server log auditing, proactive API monitoring, and maintaining least-privilege access policies across the board.

Security in the hybrid era isn’t just about waiting for the next patch; it’s also about staying one step ahead of hackers and remaining vigilant at all times.

More Black Hat coverage