DirSync Feature Toggle - SoftMatch / HardMatch / PHS
07 AAD Prov Dir Sync Feature Toggle
Query
AuditLogs
| where TimeGenerated > ago(1d)
| where Category =~ "DirectoryManagement"
or OperationName has_any (
"Set DirSyncEnabled flag",
"Update directory feature",
"Set Company DirSyncEnabled",
"Set Company Information",
"Set Password Hash Sync",
"Update OnPremisesDirectorySynchronization",
"OnPremDirectorySynchronization"
)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorApp = tostring(InitiatedBy.app.displayName)
| extend Actor = coalesce(Initiator, InitiatorApp)
| extend TargetProps = tostring(TargetResources)
| where TargetProps has_any (
"BlockSoftMatch",
"BlockCloudObjectTakeoverThroughHardMatch",
"PasswordHashSync",
"passwordHashSync",
"SeamlessSSO",
"DirSyncEnabled",
"synchronizationInterval"
)
| extend FeatureMentioned = case(
TargetProps has "BlockCloudObjectTakeoverThroughHardMatch", "HardMatchBlock",
TargetProps has "BlockSoftMatch", "SoftMatchBlock",
TargetProps has "PasswordHashSync" or TargetProps has "passwordHashSync", "PasswordHashSync",
TargetProps has "SeamlessSSO", "SeamlessSSO",
TargetProps has "DirSyncEnabled", "DirSyncEnabled",
"OtherFeature"
)
| project TimeGenerated, OperationName, Category, Actor,
SourceIP = tostring(InitiatedBy.user.ipAddress),
FeatureMentioned, Result, ResultReason, TargetResources
| order by TimeGenerated descExplanation
This query is designed to monitor and detect changes to specific settings in Entra Connect DirSync, which is a tool used for synchronizing on-premises directories with Azure Active Directory. The query focuses on identifying modifications to settings like BlockSoftMatch, BlockCloudObjectTakeoverThroughHardMatch, and Password Hash Sync. These settings are critical because altering them can be a security risk, potentially allowing unauthorized access or control over cloud accounts.
Here's a simplified breakdown of what the query does:
-
Data Source: It pulls data from Azure Active Directory's AuditLogs, specifically looking at logs from the past day.
-
Filter Criteria: The query filters logs related to directory management operations, such as enabling or updating directory synchronization features.
-
Key Features: It checks if any of the following features were mentioned in the logs:
- Blocking or allowing soft matches (SoftMatchBlock)
- Blocking or allowing cloud object takeovers through hard matches (HardMatchBlock)
- Enabling or disabling Password Hash Sync
- Other related features like Seamless Single Sign-On (SSO) and DirSyncEnabled
-
Output: The query extracts and organizes relevant information such as the time of the operation, the operation name, the actor (who initiated the change), the source IP address, and the specific feature mentioned.
-
Alerting: If any changes are detected, it generates an alert with details about the feature change, who made the change, and the operation performed. The alert is designed to be high severity due to the potential security implications.
-
Incident Management: The query is configured to create incidents for detected changes and group them by the account involved, helping in tracking and managing potential security incidents.
Overall, this query is a security measure to ensure that any unauthorized or suspicious changes to critical synchronization settings are promptly detected and investigated.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d