Sync Account Outside ServiceAccounts Watchlist
12 AAD Prov Sync Account Outside Watchlist
Query
let ApprovedSyncAccounts =
_GetWatchlist('EntraConnect_ServiceAccounts')
| where tostring(Tags) has "EntraIDConnect"
| project AccountObjectId = tostring(AccountObjectId);
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any (
"Directory Synchronization Accounts",
"On Premises Directory Sync Account"
)
or AccountUPN startswith "Sync_"
or AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where AccountObjectId !in (ApprovedSyncAccounts)
| project AccountUPN, AccountObjectId, AccountDisplayName, AssignedRoles,
AccountCreationTime, IsAccountEnabled
| order by AccountCreationTime descExplanation
This query is designed to detect potentially unauthorized synchronization accounts in an Azure Active Directory environment. Here's a simplified explanation:
-
Purpose: The query identifies user accounts that have been assigned roles related to directory synchronization or have names suggesting they are sync accounts. It checks if these accounts are not listed in a specific watchlist of approved service accounts.
-
Watchlist: It uses a watchlist named
EntraConnect_ServiceAccountsto identify approved sync accounts. Accounts in this list are tagged withEntraIDConnect. -
Detection Criteria:
- Accounts with roles like "Directory Synchronization Accounts" or "On Premises Directory Sync Account".
- Accounts with usernames starting with "Sync_" or display names containing "On-Premises Directory Synchronization Service Account".
- Accounts not found in the approved watchlist are flagged.
-
Timeframe: The query looks at data from the past 14 days and runs every 12 hours.
-
Alerting: If any unapproved sync accounts are detected, an alert is generated. The alert includes details like the account's username, roles, creation time, and whether the account is enabled.
-
Security Implication: This is considered a medium-severity alert because such accounts could indicate a backdoor created by an attacker to maintain access while avoiding detection by security operations center (SOC) watchlists.
-
MITRE ATT&CK Techniques: The query is associated with techniques T1136.003 (Create Account: Cloud Account) and T1098.001 (Account Manipulation: Additional Cloud Credentials), which relate to persistence tactics.
-
Incident Management: If an alert is triggered, an incident is created, and similar alerts are grouped together for easier management.
Overall, this query helps in identifying unauthorized sync accounts that could be used for malicious purposes, ensuring that only approved accounts are used for directory synchronization.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 12h
Period: 14d