Cloud Admins, AADConnect and Privilege Increase Issues

Posted on Posted in AADConnect, AADSync, AdminSDHolder, Office 365, server administrator

Microsoft recommends that you stay on top of version updates to AADConnect.

In version 1.1.553.0, which became available in June 2017, there is a reference to a gain in admin privileges that could be possible with password writeback (part of Azure AD Premium and EMS licences) that hints at a security issue. The following is what I think the issue is, and therefore why you should be running 1.1.553.0 or later.

Global admins can change the password of AD admins using Azure Portal. This is an issue if you consider the following scenario – if the GA was just a delegated admin to an OU or not an admin to AD at all (i.e. cloud only admin) they would not be able to reset privileged accounts in AD, but with password writeback prior to v 1.1.553.0 they are able to do this and gain an on-premise privilege they did not have.

Or, of course, malicious actor takes over GA account and now have access to all on-premises admin accounts.

Following version 1.1.553.0 and later, only the owner of a privileged account can change it via password writeback.

So, if you have cloud admins that are not on-premises admins, or are just delegated admins on-premises, upgrade to 1.1.553.0 now.

This issue only affects customers who have enabled the Password writeback feature on Azure AD Connect. To determine if the feature is enabled:

  1. Login to your Azure AD Connect server.
  2. Start Azure AD Connect wizard (START → Azure AD Connect).
  3. On the Welcome screen, click Configure.
  4. On the Tasks screen, select View current configuration and click Next.
  5. Under Synchronization Settings, check if Password Writeback is enabled.

Mt803213.EB9A43C32235251CEBA30763CA023255(en-us,Security.10).png

For information on how to upgrade Azure AD Connect, refer to Azure AD Connect: Learn how to upgrade from a previous version to the latest.

The latest version of Azure AD Connect addresses this issue by blocking Password writeback request for on-premises AD privileged accounts unless the requesting Azure AD Administrator is the owner of the on-premises AD account. More specifically, when Azure AD Connect receives a Password writeback request from Azure AD:

  • It checks if the target on-premises AD account is a privileged account by validating the AD adminCount attribute. If the value is null or 0, Azure AD Connect concludes this is not a privileged account and permits the Password writeback request.
  • If the value is not null or 0, Azure AD Connect concludes this is a privileged account. Next, it then validates whether the requesting user is the owner of the target on-premises AD account. It does so by checking the relationship between the target on-premises AD account and the Azure AD account of the requesting user in its Metaverse. If the requesting user is indeed the owner, Azure AD Connect permits the Password writeback request. Otherwise, the request is rejected.

Leave a Reply

Your email address will not be published. Required fields are marked *