Microsoft Azure AD Connect

Security researchers at Preempt discovered a vulnerability affecting organizations that use Microsoft’s Azure AD Connect software to connect a Microsoft Office 365 cloud deployment with on-premises Microsoft Active Directory (AD) Domain Services, known as a hybrid deployment. This vulnerability exists due to a configuration error between the Azure AD Connect software and the AD DS directory synchronization account and can result in the creation of several unauthorized stealthy administrator accounts – user accounts that exist outside of the protected administrator group but have elevated domain privileges. These privileged accounts create a grave risk to organizations as they are often overlooked and not properly managed, and credentials for these accounts could easily be compromised and exploited by threat actors to gain unauthorized access to networks. The NJCCIC recommends all network administrators who installed Azure AD Connect using the default/express installation option and manage a hybrid deployment as described above review Microsoft Security Advisory 4056318 and the Preempt Blog to learn more about this vulnerability and audit their networks for stealthy administrator accounts. Microsoft released a free PowerShell script for administrators to tighten permissions of the AD domain accounts and Preempt released a free tool designed to locate stealthy administrator accounts. The NJCCIC makes no claim as to the effectiveness of these tools and users are advised to exercise caution when downloading and installing any software from the internet.