In a recent announcement, Microsoft will soon begin to restrict the effective permissions on accounts assigned to the Directory Synchronization Accounts role in Microsoft Entra as part of their ongoing security hardening efforts.
The purpose of Directory Synchronization Accounts is to support the synchronisation of identities between your on-premises environments and Microsoft Entra. As part of this synchronisation, a Directory Synchronization Account is provisioned to support creating, updating and removing objects in Microsoft Entra when they are no longer needed.
Unfortunately, it has long been known that Directory Synchronization Accounts enable a clear path for privilege escalations due to the clear overprivilege assigned to the role. These well-needed efforts from Microsoft will see the unused permissions removed from the role, thus reducing potential attack paths within Microsoft Entra and beyond.
The announcement
The announcement, titled ‘Restricted permissions on Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Cloud Sync‘ states that:
As part of ongoing security hardening, we have removed unused permissions from the privileged “Directory Synchronization Accounts” role. This role is exclusively used by Connect Sync and Cloud Sync to synchronize Active Directory objects with Entra ID.
There is no action required by customers to benefit from this hardening. Please refer the documentation for details on the revised role permissions.
Thankfully, it has been made clear from Microsoft that no action is needed from administrators for this change, a welcome note after a flurry of admin-impacting changes this year already.
Existing permissions on the Directory Synchronization Accounts role
So what actions can currently be performed by accounts assigned to the Directory Synchronization Accounts role? Well, as the documentation is likely to soon change, below is a table of all the enabled actions and their descriptions as of 08/08/2024.
Actions | Description |
---|---|
microsoft.directory/applications/create | Create all types of applications |
microsoft.directory/applications/delete | Delete all types of applications |
microsoft.directory/applications/appRoles/update | Update the appRoles property on all types of applications |
microsoft.directory/applications/audience/update | Update the audience property for applications |
microsoft.directory/applications/authentication/update | Update authentication on all types of applications |
microsoft.directory/applications/basic/update | Update basic properties for applications |
microsoft.directory/applications/credentials/update | Privileged label icon. |
microsoft.directory/applications/notes/update | Update notes of applications |
microsoft.directory/applications/owners/update | Update owners of applications |
microsoft.directory/applications/permissions/update | Update exposed permissions and required permissions on all types of applications |
microsoft.directory/applications/policies/update | Update policies of applications |
microsoft.directory/applications/tag/update | Update tags of applications |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks | Privileged label icon. |
microsoft.directory/organization/dirSync/update | Update the organization directory sync property |
microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Microsoft Entra ID |
microsoft.directory/policies/create | Create policies in Microsoft Entra ID |
microsoft.directory/policies/delete | Delete policies in Microsoft Entra ID |
microsoft.directory/policies/standard/read | Read basic properties on policies |
microsoft.directory/policies/owners/read | Read owners of policies |
microsoft.directory/policies/policyAppliedTo/read | Read policies.policyAppliedTo property |
microsoft.directory/policies/basic/update | Privileged label icon. |
microsoft.directory/policies/owners/update | Update owners of policies |
microsoft.directory/policies/tenantDefault/update | Update default organization policies |
microsoft.directory/servicePrincipals/create | Create service principals |
microsoft.directory/servicePrincipals/delete | Delete service principals |
microsoft.directory/servicePrincipals/enable | Enable service principals |
microsoft.directory/servicePrincipals/disable | Disable service principals |
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials | Manage password single sign-on credentials on service principals |
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials | Read password single sign-on credentials on service principals |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read service principal role assignments |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read role assignments assigned to service principals |
microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals |
microsoft.directory/servicePrincipals/memberOf/read | Read the group memberships on service principals |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read | Read delegated permission grants on service principals |
microsoft.directory/servicePrincipals/owners/read | Read owners of service principals |
microsoft.directory/servicePrincipals/ownedObjects/read | Read owned objects of service principals |
microsoft.directory/servicePrincipals/policies/read | Read policies of service principals |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments |
microsoft.directory/servicePrincipals/audience/update | Update audience properties on service principals |
microsoft.directory/servicePrincipals/authentication/update | Update authentication properties on service principals |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on service principals |
microsoft.directory/servicePrincipals/credentials/update | Privileged label icon. |
microsoft.directory/servicePrincipals/notes/update | Update notes of service principals |
microsoft.directory/servicePrincipals/owners/update | Update owners of service principals |
microsoft.directory/servicePrincipals/permissions/update | Update permissions of service principals |
microsoft.directory/servicePrincipals/policies/update | Update policies of service principals |
microsoft.directory/servicePrincipals/tag/update | Update the tag property for service principals |
The following actions are highlighted as privileged in Microsoft Entra:
- microsoft.directory/applications/credentials/update
- microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks
- microsoft.directory/policies/basic/update
- microsoft.directory/servicePrincipals/credentials/update
It is likely that with this change, all of the above-privileged actions may be removed, as well as many of the actions within the table above, however, it is not yet clear which actions are unused and will be removed. This being said, there are many other actions that I would deem as privileged and certainly not required for directory synchronisation (or at least shouldn’t be required), these are:
- microsoft.directory/applications/delete
- microsoft.directory/applications/appRoles/update
- microsoft.directory/applications/owners/update
- microsoft.directory/applications/permissions/update
- microsoft.directory/policies/delete
- microsoft.directory/policies/owners/update
- microsoft.directory/servicePrincipals/delete
- microsoft.directory/servicePrincipals/appRoleAssignedTo/update
- microsoft.directory/servicePrincipals/owners/update
- microsoft.directory/servicePrincipals/permissions/update
- microsoft.directory/servicePrincipals/policies/update
Current findings
As of 08/08/2024, reporting the AllowedResourceActions property of the DSA role using Microsoft PowerShell now returns blank information. You can check this yourself using Microsoft Graph PowerShell with the following commands:
Connect-MgGraph -Scope "RoleManagement.Read.Directory"
Get-MgBetaRoleManagementDirectoryRoleDefinition `
-UnifiedRoleDefinitionId d29b2b05-8046-44ba-8758-1e26182fcf32 | `
Select -ExpandProperty RolePermissions
Your output will likely be blank like the below example:
While this shows now output, it is unclear which permissions Microsoft have removed until they update the public documentation on Microsoft Learn. You can track the changes to this documentation by following the commits on GitHub here > https://github.com/MicrosoftDocs/entra-docs/commits/main/docs/identity/role-based-access-control/permissions-reference.md
Assigning a user to the DSA role
While the Directory Synchronization Accounts role is not visible from the Entra admin portal, you can still view and assign users to the role using Microsoft Graph PowerShell like so:
$userUPN="[email protected]"
$roleName="Directory Synchronization Accounts"
#Find DSA Role
$role = Get-MgBetaDirectoryRole -Filter "displayName eq 'Directory Synchronization Accounts'"
#Create from template if needed
if ($role -eq $null) {
$roleTemplate = (Get-MgBetaDirectoryRoleTemplate | Where-Object {$_.displayName -eq $roleName}).id
New-MgBetaDirectoryRole -DisplayName $roleName -RoleTemplateId $roleTemplate
$role = Get-MgBetaDirectoryRole | Where-Object {$_.displayName -eq $roleName}
}
#Get user id
$userId = (Get-MgBetaUser -Filter "userPrincipalName eq '$userUPN'").Id
#Define payload
$newRoleMember =@{
"@odata.id"= "https://graph.microsoft.com/v1.0/users/$userId"
}
#Assign user to DSA role
New-MgBetaDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -BodyParameter $newRoleMember
You can then enumerate the users assigned to the role (reporting the display name is this example) using the commands below:
$role = Get-MgBetaDirectoryRole -Filter "displayName eq 'Directory Synchronization Accounts'"
(Get-MgBetaDirectoryRoleMember -DirectoryRoleId $role.id | `
Select -ExpandProperty AdditionalProperties).displayName
Mitigating abuse of DSA role assignments
Even with the changes being made by Microsoft, I recommend taking action to mitigate potential attacks against the DSA role members in Microsoft Entra:
- Reduce the number of role members assigned to privileged roles which can make changes to directory roles and/or in general.
- Utilise PIM for all directory roles combined with Authentication strengths, to ensure strong authentication is needed to elevate access to these roles.
- Limit access to APIs that can modify this role (AzureAD Graph and Microsoft Graph) by setting the enterprise applications in Entra as “assignment required” to “Yes” and completely blocking access to the legacy APIs in Entra.
- Implement Conditional Access to Block access to All Apps on All Users, for the DSA role, excluding the synchronisation accounts. Then create a separate policy to limit access to the DSA role by IP address.
Hey Daniel, great article ! Trying to find the Microsoft announcement around this but drawing a blank…Any chance you have a link ??
Thanks a million
Hey Derek!
Its in the What’s new section of Microsoft Entra, search for ‘Directory’.
Also if you look at the change history on this page, it shows the differences > https://learn.microsoft.com/en-gb/entra/identity/role-based-access-control/permissions-reference#directory-synchronization-accounts