Attacking Azure AD by abusing Synchronisation API: The story behind 40.000 USD in bug bounties presented at Romhack 2022

by Dr Nestori Syynimaa,

Summary : Azure AD is an Access and Identity Management (IAM) service used by over 88 per cent of Fortune 500 companies. From these, at least 84 per cent are using Azure AD Connect to synchronise objects from their on-prem AD to Azure AD. The credentials used for synchronisation have high privileges for both on-prem AD and Azure AD. With those credentials, a threat actor can access Azure AD using the same API Azure AD Connect is using…

In this session, I’ll first show how the flaw in Synchronisation API could be used to take over and delete cloud-only users, including Global Administrators. Second, I’ll show how the fix provided 500 days later by Microsoft could be bypassed using another flaw in the same API.