Detection of Microsoft Entra Connect accounts outside of WatchLists
AAD Connector Account Outside Of Watch List
Query
// Query all users that habe the "Directory Synchronization Accounts" role assigned
let DirSyncRoleAssignedMembers = (IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where AssignedRoles has "Directory Synchronization Accounts"
| summarize by AccountObjectId);
// Query all users that have signed in to the AADSync API
let DirSyncNamedUsers = (union isfuzzy=true AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated > ago(1d)
// AADC APIs: AADSync = "cb1056e2-e479-49de-ae31-7812af012ed8", AAD Connect v2 = 6eb59a73-39b2-4c23-a70f-e2e3ce8965b1
| where (UserPrincipalName startswith "sync_" and UserPrincipalName endswith "onmicrosoft.com")
or AppId == "cb1056e2-e479-49de-ae31-7812af012ed8"
or AppId == "6eb59a73-39b2-4c23-a70f-e2e3ce8965b1"
| summarize by AccountObjectId = UserId);
// Query all explicitly tagged Microsoft Entra Connect / Azure AD Connect account in the watchlist ServiceAccounts
let WatchList = _GetWatchlist('ServiceAccounts')
| where ['Tags'] has "Azure AD Connect"
| project AccountObjectId = ['Service AAD Object Id'];
// Combine the two lists and remove all known accounts
// All resulting accounts are not possibly not allowed to use this API or have the role assigned
union isfuzzy=true DirSyncRoleAssignedMembers, DirSyncNamedUsers
| summarize by AccountObjectId
| where AccountObjectId !in (WatchList)
| join kind=leftouter (IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
)
on AccountObjectId
| project-away *1, TimeGeneratedExplanation
This query is designed to detect Microsoft Entra Connect accounts that are not stored in the WatchList. It looks for objects with Directory role membership to "Directory Synchronization" or naming similar to Microsoft Entra Connect account. The query frequency is once a day and the query period is 14 days. The severity of this detection is medium. The query combines two lists of users and removes known accounts, resulting in a list of potentially unauthorized accounts. The query does not have suppression enabled and is configured to create an incident. The incident grouping configuration is disabled and the lookback duration is 5 minutes. The event grouping settings aggregate alerts into a single alert. The query maps certain fields to account entities and the suppression duration is 1 hour.
Details

Thomas Naunheim
Released: September 21, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 14d