07 AAD Prov Dir Sync Feature Toggle

id: 9b1a0007-1007-4107-9107-aadprov00007 name: DirSync Feature Toggle - SoftMatch / HardMatch / PHS version: 1.0.0 kind: Scheduled description: | Detects modification of Entra Connect DirSync feature settings, including `BlockSoftMatch`, `BlockCloudObjectTakeoverThroughHardMatch`, and Password Hash Sync enable/disable, via `Update-MgDirectoryOnPremiseSynchronization` or equivalent Graph cmdlets. These toggles are documented attack vectors: disabling SoftMatch blocking allows an attacker holding `Hybrid Identity Administrator` to take over cloud-only accounts by syncing matching on-premises objects. Direct mapping to the Cloud-Architekt `AADCSyncServiceAccount` playbook. MITRE ATT&CK: T1556 (Modify Authentication Process), T1098.003 (Account Manipulation: Additional Cloud Roles), T1078.004 (Valid Accounts: Cloud Accounts). severity: High requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - AuditLogs queryFrequency: 1h queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: - DefenseEvasion - Persistence - PrivilegeEscalation relevantTechniques: - T1556 - T1098 query: | AuditLogs | where TimeGenerated > ago(1d) | where Category =~ "DirectoryManagement" or OperationName has_any ( "Set DirSyncEnabled flag", "Update directory feature", "Set Company DirSyncEnabled", "Set Company Information", "Set Password Hash Sync", "Update OnPremisesDirectorySynchronization", "OnPremDirectorySynchronization" ) | extend Initiator = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatorApp = tostring(InitiatedBy.app.displayName) | extend Actor = coalesce(Initiator, InitiatorApp) | extend TargetProps = tostring(TargetResources) | where TargetProps has_any ( "BlockSoftMatch", "BlockCloudObjectTakeoverThroughHardMatch", "PasswordHashSync", "passwordHashSync", "SeamlessSSO", "DirSyncEnabled", "synchronizationInterval" ) | extend FeatureMentioned = case( TargetProps has "BlockCloudObjectTakeoverThroughHardMatch", "HardMatchBlock", TargetProps has "BlockSoftMatch", "SoftMatchBlock", TargetProps has "PasswordHashSync" or TargetProps has "passwordHashSync", "PasswordHashSync", TargetProps has "SeamlessSSO", "SeamlessSSO", TargetProps has "DirSyncEnabled", "DirSyncEnabled", "OtherFeature" ) | project TimeGenerated, OperationName, Category, Actor, SourceIP = tostring(InitiatedBy.user.ipAddress), FeatureMentioned, Result, ResultReason, TargetResources | order by TimeGenerated desc entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: Actor - entityType: IP fieldMappings: - identifier: Address columnName: SourceIP customDetails: Feature: FeatureMentioned Actor: Actor Operation: OperationName alertDetailsOverride: alertDisplayNameFormat: "DirSync feature change ({{FeatureMentioned}}) by {{Actor}}" alertDescriptionFormat: "Entra Connect feature {{FeatureMentioned}} was modified by {{Actor}}. Operation: {{OperationName}}. Validate against approved change ticket." alertSeverityColumnName: "" alertTacticsColumnName: "" incidentConfiguration: createIncident: true groupingConfiguration: enabled: true reopenClosedIncident: false lookbackDuration: PT24H matchingMethod: AnyAlert groupByEntities: - Account groupByAlertDetails: [] groupByCustomDetails: []

Explanation

This query is designed to monitor and detect changes to specific settings in Entra Connect DirSync, which is a tool used for synchronizing on-premises directories with Azure Active Directory. The query focuses on identifying modifications to settings like BlockSoftMatch, BlockCloudObjectTakeoverThroughHardMatch, and Password Hash Sync. These settings are critical because altering them can be a security risk, potentially allowing unauthorized access or control over cloud accounts.

Here's a simplified breakdown of what the query does:

Data Source: It pulls data from Azure Active Directory's AuditLogs, specifically looking at logs from the past day.
Filter Criteria: The query filters logs related to directory management operations, such as enabling or updating directory synchronization features.
Key Features: It checks if any of the following features were mentioned in the logs:
- Blocking or allowing soft matches (SoftMatchBlock)
- Blocking or allowing cloud object takeovers through hard matches (HardMatchBlock)
- Enabling or disabling Password Hash Sync
- Other related features like Seamless Single Sign-On (SSO) and DirSyncEnabled
Output: The query extracts and organizes relevant information such as the time of the operation, the operation name, the actor (who initiated the change), the source IP address, and the specific feature mentioned.
Alerting: If any changes are detected, it generates an alert with details about the feature change, who made the change, and the operation performed. The alert is designed to be high severity due to the potential security implications.
Incident Management: The query is configured to create incidents for detected changes and group them by the account involved, helping in tracking and managing potential security incidents.

Overall, this query is a security measure to ensure that any unauthorized or suspicious changes to critical synchronization settings are promptly detected and investigated.

Details

David Alonso

Released: June 1, 2026

Tables

AuditLogs

Keywords

AuditLogsDirectoryManagementDirSyncEnabledPasswordHashSyncSeamlessSSOBlockSoftMatchBlockCloudObjectTakeoverThroughHardMatchSynchronizationIntervalActorSourceIPFeatureMentionedResultResultReasonTargetResourcesAccountIPEntraConnect

Operators

ago()has_any()coalesce()case()tostring()extendprojectorder bywhere

KQL Search