Microsoft to reduce permissions on Directory Synchronization Accounts 

In a recent announcement, Microsoft will soon begin to restrict the effective permissions on accounts assigned to the Directory Synchronization Accounts role in Microsoft Entra as part of their ongoing security hardening efforts. 

The purpose of Directory Synchronization Accounts is to support the synchronisation of identities between your on-premises environments and Microsoft Entra. As part of this synchronisation, a Directory Synchronization Account is provisioned to support creating, updating and removing objects in Microsoft Entra when they are no longer needed. 

Unfortunately, it has long been known that Directory Synchronization Accounts enable a clear path for privilege escalations due to the clear overprivilege assigned to the role. These well-needed efforts from Microsoft will see the unused permissions removed from the role, thus reducing potential attack paths within Microsoft Entra and beyond.

The announcement

The announcement, titled ‘Restricted permissions on Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Cloud Sync‘ states that:

As part of ongoing security hardening, we have removed unused permissions from the privileged “Directory Synchronization Accounts” role. This role is exclusively used by Connect Sync and Cloud Sync to synchronize Active Directory objects with Entra ID.

There is no action required by customers to benefit from this hardening. Please refer the documentation for details on the revised role permissions.

Thankfully, it has been made clear from Microsoft that no action is needed from administrators for this change, a welcome note after a flurry of admin-impacting changes this year already.

Existing permissions on the Directory Synchronization Accounts role

So what actions can currently be performed by accounts assigned to the Directory Synchronization Accounts role? Well, as the documentation is likely to soon change, below is a table of all the enabled actions and their descriptions as of 08/08/2024.

Actions Description
microsoft.directory/applications/create Create all types of applications
microsoft.directory/applications/delete Delete all types of applications
microsoft.directory/applications/appRoles/update Update the appRoles property on all types of applications
microsoft.directory/applications/audience/update Update the audience property for applications
microsoft.directory/applications/authentication/update Update authentication on all types of applications
microsoft.directory/applications/basic/update Update basic properties for applications
microsoft.directory/applications/credentials/update Privileged label icon.
microsoft.directory/applications/notes/update Update notes of applications
microsoft.directory/applications/owners/update Update owners of applications
microsoft.directory/applications/permissions/update Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/update Update policies of applications
microsoft.directory/applications/tag/update Update tags of applications
microsoft.directory/authorizationPolicy/standard/read Read standard properties of authorization policy
microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks Privileged label icon.
microsoft.directory/organization/dirSync/update Update the organization directory sync property
microsoft.directory/passwordHashSync/allProperties/allTasks Manage all aspects of Password Hash Synchronization (PHS) in Microsoft Entra ID
microsoft.directory/policies/create Create policies in Microsoft Entra ID
microsoft.directory/policies/delete Delete policies in Microsoft Entra ID
microsoft.directory/policies/standard/read Read basic properties on policies
microsoft.directory/policies/owners/read Read owners of policies
microsoft.directory/policies/policyAppliedTo/read Read policies.policyAppliedTo property
microsoft.directory/policies/basic/update Privileged label icon.
microsoft.directory/policies/owners/update Update owners of policies
microsoft.directory/policies/tenantDefault/update Update default organization policies
microsoft.directory/servicePrincipals/create Create service principals
microsoft.directory/servicePrincipals/delete Delete service principals
microsoft.directory/servicePrincipals/enable Enable service principals
microsoft.directory/servicePrincipals/disable Disable service principals
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials Manage password single sign-on credentials on service principals
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials Read password single sign-on credentials on service principals
microsoft.directory/servicePrincipals/appRoleAssignedTo/read Read service principal role assignments
microsoft.directory/servicePrincipals/appRoleAssignments/read Read role assignments assigned to service principals
microsoft.directory/servicePrincipals/standard/read Read basic properties of service principals
microsoft.directory/servicePrincipals/memberOf/read Read the group memberships on service principals
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read Read delegated permission grants on service principals
microsoft.directory/servicePrincipals/owners/read Read owners of service principals
microsoft.directory/servicePrincipals/ownedObjects/read Read owned objects of service principals
microsoft.directory/servicePrincipals/policies/read Read policies of service principals
microsoft.directory/servicePrincipals/appRoleAssignedTo/update Update service principal role assignments
microsoft.directory/servicePrincipals/audience/update Update audience properties on service principals
microsoft.directory/servicePrincipals/authentication/update Update authentication properties on service principals
microsoft.directory/servicePrincipals/basic/update Update basic properties on service principals
microsoft.directory/servicePrincipals/credentials/update Privileged label icon.
microsoft.directory/servicePrincipals/notes/update Update notes of service principals
microsoft.directory/servicePrincipals/owners/update Update owners of service principals
microsoft.directory/servicePrincipals/permissions/update Update permissions of service principals
microsoft.directory/servicePrincipals/policies/update Update policies of service principals
microsoft.directory/servicePrincipals/tag/update Update the tag property for service principals

The following actions are highlighted as privileged in Microsoft Entra:

  • microsoft.directory/applications/credentials/update
  • microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks
  • microsoft.directory/policies/basic/update
  • microsoft.directory/servicePrincipals/credentials/update

It is likely that with this change, all of the above-privileged actions may be removed, as well as many of the actions within the table above, however, it is not yet clear which actions are unused and will be removed. This being said, there are many other actions that I would deem as privileged and certainly not required for directory synchronisation (or at least shouldn’t be required), these are:

  • microsoft.directory/applications/delete
  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/policies/delete
  • microsoft.directory/policies/owners/update
  • microsoft.directory/servicePrincipals/delete
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/servicePrincipals/owners/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/policies/update

Current findings

As of 08/08/2024, reporting the AllowedResourceActions property of the DSA role using Microsoft PowerShell now returns blank information. You can check this yourself using Microsoft Graph PowerShell with the following commands:

Connect-MgGraph -Scope "RoleManagement.Read.Directory"

Get-MgBetaRoleManagementDirectoryRoleDefinition `
-UnifiedRoleDefinitionId d29b2b05-8046-44ba-8758-1e26182fcf32 | `
Select -ExpandProperty RolePermissions

Your output will likely be blank like the below example:

DSA roles output PowerShell

While this shows now output, it is unclear which permissions Microsoft have removed until they update the public documentation on Microsoft Learn. You can track the changes to this documentation by following the commits on GitHub here > https://github.com/MicrosoftDocs/entra-docs/commits/main/docs/identity/role-based-access-control/permissions-reference.md

Assigning a user to the DSA role

While the Directory Synchronization Accounts role is not visible from the Entra admin portal, you can still view and assign users to the role using Microsoft Graph PowerShell like so:

$userUPN="[email protected]"
$roleName="Directory Synchronization Accounts"

#Find DSA Role
$role = Get-MgBetaDirectoryRole -Filter "displayName eq 'Directory Synchronization Accounts'"

#Create from template if needed
if ($role -eq $null) {
    $roleTemplate = (Get-MgBetaDirectoryRoleTemplate | Where-Object {$_.displayName -eq $roleName}).id
    New-MgBetaDirectoryRole -DisplayName $roleName -RoleTemplateId $roleTemplate
    $role = Get-MgBetaDirectoryRole | Where-Object {$_.displayName -eq $roleName}
}

#Get user id
$userId = (Get-MgBetaUser -Filter "userPrincipalName eq '$userUPN'").Id

#Define payload
$newRoleMember =@{
    "@odata.id"= "https://graph.microsoft.com/v1.0/users/$userId"
}

#Assign user to DSA role
New-MgBetaDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -BodyParameter $newRoleMember

You can then enumerate the users assigned to the role (reporting the display name is this example) using the commands below:

$role = Get-MgBetaDirectoryRole -Filter "displayName eq 'Directory Synchronization Accounts'"

(Get-MgBetaDirectoryRoleMember -DirectoryRoleId $role.id | `
Select -ExpandProperty AdditionalProperties).displayName

Mitigating abuse of DSA role assignments

Even with the changes being made by Microsoft, I recommend taking action to mitigate potential attacks against the DSA role members in Microsoft Entra:

  • Reduce the number of role members assigned to privileged roles which can make changes to directory roles and/or in general.
  • Utilise PIM for all directory roles combined with Authentication strengths, to ensure strong authentication is needed to elevate access to these roles.
  • Limit access to APIs that can modify this role (AzureAD Graph and Microsoft Graph) by setting the enterprise applications in Entra as “assignment required” to “Yes” and completely blocking access to the legacy APIs in Entra.
  • Implement Conditional Access to Block access to All Apps on All Users, for the DSA role, excluding the synchronisation accounts. Then create a separate policy to limit access to the DSA role by IP address.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Derek

    Hey Daniel, great article ! Trying to find the Microsoft announcement around this but drawing a blank…Any chance you have a link ??

    Thanks a million

Leave a Reply