Flaw in Office 365 with Azure AD Connect could result in domain compromise

The Preempt research team has uncovered a vulnerability with Microsoft Office 365 when integrated with an on-premises Active Directory Domain Services (AD DS) using Azure AD Connect software that unnecessarily gives users elevated administrator privileges, making them “stealthy” administrators.

Flaw Office 365 Azure AD Connect

Preempt discovered this surprising issue was occurring when customers were installing Microsoft Office 365 with Azure AD Connect software for on-premise AD DS integration (hybrid deployment).

“Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration,” said Roman Blachman, CTO at Preempt. “We refer to these users as stealthy admins. The majority of our customers’ have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw.”

Flaw Office 365 Azure AD Connect

This discovered vulnerability points to a much larger issue as more companies move to the cloud. This vulnerability piles on to previously detected issues, including Microsoft Advisory 4033453, that has discovered an issue with writeback feature – granting Azure AD administrators complete control over on-premises AD DS infrastructure.

Privileged users are often overlooked and are not managed correctly when synchronized with the cloud, due to limited toolset in comparison to the on-premises solutions. With the introduced cloud identity management, new management and security challenges are introduced.

Preempt provided responsible disclosure to Microsoft which has issued a customer security advisory regarding the vulnerability.