Query Details

Sync Account Outside ServiceAccounts Watchlist

12 AAD Prov Sync Account Outside Watchlist

Query

let ApprovedSyncAccounts =
    _GetWatchlist('EntraConnect_ServiceAccounts')
    | where tostring(Tags) has "EntraIDConnect"
    | project AccountObjectId = tostring(AccountObjectId);
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any (
      "Directory Synchronization Accounts",
      "On Premises Directory Sync Account"
  )
    or AccountUPN startswith "Sync_"
    or AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where AccountObjectId !in (ApprovedSyncAccounts)
| project AccountUPN, AccountObjectId, AccountDisplayName, AssignedRoles,
          AccountCreationTime, IsAccountEnabled
| order by AccountCreationTime desc

Explanation

This query is designed to detect potentially unauthorized synchronization accounts in an Azure Active Directory environment. Here's a simplified explanation:

  1. Purpose: The query identifies user accounts that have been assigned roles related to directory synchronization or have names suggesting they are sync accounts. It checks if these accounts are not listed in a specific watchlist of approved service accounts.

  2. Watchlist: It uses a watchlist named EntraConnect_ServiceAccounts to identify approved sync accounts. Accounts in this list are tagged with EntraIDConnect.

  3. Detection Criteria:

    • Accounts with roles like "Directory Synchronization Accounts" or "On Premises Directory Sync Account".
    • Accounts with usernames starting with "Sync_" or display names containing "On-Premises Directory Synchronization Service Account".
    • Accounts not found in the approved watchlist are flagged.
  4. Timeframe: The query looks at data from the past 14 days and runs every 12 hours.

  5. Alerting: If any unapproved sync accounts are detected, an alert is generated. The alert includes details like the account's username, roles, creation time, and whether the account is enabled.

  6. Security Implication: This is considered a medium-severity alert because such accounts could indicate a backdoor created by an attacker to maintain access while avoiding detection by security operations center (SOC) watchlists.

  7. MITRE ATT&CK Techniques: The query is associated with techniques T1136.003 (Create Account: Cloud Account) and T1098.001 (Account Manipulation: Additional Cloud Credentials), which relate to persistence tactics.

  8. Incident Management: If an alert is triggered, an incident is created, and similar alerts are grouped together for easier management.

Overall, this query helps in identifying unauthorized sync accounts that could be used for malicious purposes, ensuring that only approved accounts are used for directory synchronization.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

IdentityInfo

Keywords

AzureActiveDirectoryAuditLogsIdentityInfoAccountServiceAccountsEntraIDConnectDirectorySynchronizationAccountsOnPremisesSyncOn-PremisesService

Operators

let_GetWatchlistwheretostringhasprojectsummarizearg_maxbyhas_anystartswith!inorder by

Severity

Medium

Tactics

Persistence

Frequency: 12h

Period: 14d

Actions

GitHub