Black Hat USA 2025 | Advanced Active Directory to Entra ID Lateral Movement Techniques

The presentation at Black Hat USA 2025 detailed how attackers can move laterally from a fully compromised on‑premises Active Directory into Microsoft Entra ID in hybrid environments. Speaker Dian of Outsider Security explained that once domain‑admin rights are obtained on‑prem, the same trust relationship used for authentication can be abused to gain cloud privileges.

He outlined several configuration‑dependent vectors: ADFS token‑signing certificates, Seamless Single Sign‑On Kerberos keys, and the Entra ID Connect service account. Because Azure AD treats all synchronized users as a single tenant, stealing these keys lets an adversary impersonate any hybrid user, bypass MFA, and even reset passwords across all synced domains. The talk also highlighted that soft‑matching still allows conversion of cloud‑only privileged accounts into hybrid accounts, exposing eligible global admins.

A striking example cited was the ability of the sync account to edit conditional‑access policies via an undocumented internal Graph API, effectively disabling MFA or adding exclusions. Additionally, recent changes to AD Connect that use service‑principal certificates stored in TPM do not prevent abuse; attackers can craft assertions with arbitrary expiry dates, granting long‑term access.

The findings underscore the urgency for enterprises to decommission legacy federation, block soft‑matching, enforce strict MFA that cannot be forged, rotate ADFS and SSO keys, and tightly monitor AD Connect credentials and policy‑change logs. Without these mitigations, a breach of on‑prem AD can quickly translate into full control of the cloud tenant, with severe compliance and financial repercussions.