Entra Connect (Azure AD Connect) Security Hardening: How to Protect the Hybrid Identity Bridge

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The Entra Connect server is underprotected in most hybrid environments. Organizations deploy it on a standard member server, give it an administrative share for ease of management, and apply the same security baseline as any other application server. This is incorrect. Entra Connect has read access to the AD DS credential store (including Kerberos hash material in PHS mode), write access to the Entra ID directory, and the ability to modify synced identities. An attacker who compromises the Entra Connect server can extract every synced user's NTLM hash, gain persistence in Entra ID, and move laterally to the cloud tenant regardless of the status of on-premises AD. The hardening steps in this guide should be treated as Tier 0 security controls, not optional hardening.
Treat the Entra Connect Server as Tier 0
The Entra Connect server must be in your Tier 0 (control plane) asset group alongside domain controllers. Practical implications: administrative access to the Entra Connect server should require a Tier 0 admin account, not a standard IT admin account. The server should be in a dedicated Tier 0 OU with GPO restricting interactive logins to Tier 0 admin accounts only. No remote desktop from standard workstations -- access only from a Privileged Access Workstation (PAW) or the Tier 0 admin network segment. The server should have the same patching priority as domain controllers: critical and important patches applied within 7 days. No third-party software installed except what is required for the sync function. The Entra Connect server should not be used for any other purpose -- not as a file server, not as an application server, not shared with other services. If the Entra Connect server is a VM, apply the same VMware or Hyper-V hardening controls as your DC VMs (restrict vCenter access for that VM, enable secure boot, disable copy-paste in VM console).
Audit and Harden the AD DS Connector Account
The AD DS Connector account is a domain account Entra Connect uses to read AD objects. In Password Hash Sync mode, it needs the 'Replicating Directory Changes' and 'Replicating Directory Changes All' rights on the domain -- the same rights required for DCSync. This makes it a high-privilege account. Verify the current account and its permissions: in the Entra Connect wizard, use the Synchronization Service Manager, Connectors tab, select the AD connector, Properties, Connect to Active Directory Forest -- this shows the service account name. Confirm the account is not a Domain Admin (the Entra Connect setup wizard incorrectly requests Domain Admin during installation; a correctly configured environment uses the minimum-privilege account it creates). Confirm the account is not a member of any privileged groups. Set the account password to a long (64+ character) random string managed by a PAM solution or Windows LAPS. Enable 'Account is sensitive and cannot be delegated' on the account.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Audit and Harden the MSOL_ Service Account
The MSOL_ account (named MSOL_xxxxxxxxx in Entra ID) is an on-premises service account used by Entra Connect to authenticate to Entra ID. By default, it has Hybrid Identity Administrator role in Entra ID, which is sufficient to modify sync scope, create new users in the cloud, and manage password writeback. Audit the account: in the Entra admin center, search for 'MSOL_' under Users -- confirm it exists, is assigned only the Hybrid Identity Administrator role, and has no additional role assignments. The MSOL_ account should not be used for any other purpose. It should not have a license assigned. Monitor for any interactive sign-in from the MSOL_ account -- it should only authenticate from the Entra Connect server IP. Alert on: MSOL_ sign-in from any IP other than the Entra Connect server, and MFA prompt for MSOL_ (the account is typically excluded from Conditional Access -- that exclusion itself should be documented and reviewed quarterly).
Restrict Entra Connect Server Network Access
The Entra Connect server needs outbound HTTPS (port 443) to Entra ID endpoints and to the on-premises AD domain controllers. It needs inbound access from the Entra Connect Health agent (if deployed). It should not need inbound access from workstations or general servers. Configure Windows Defender Firewall on the Entra Connect server to allow outbound 443 to Microsoft 365 and Entra ID IP ranges (use the O365 IP/URL XML feed), and inbound from Privileged Access Workstation segment only. Block all other inbound connections. Consider deploying the Entra Connect server behind a jump server with session recording for any administrative access. The Entra Connect Health monitoring agent provides visibility into sync health without requiring admin access to the server -- deploy it and connect to the Azure Monitor workspace for alerting on sync failures and object sync errors.
Monitor for Entra Connect Compromise Indicators
Key indicators of Entra Connect compromise: unexpected MSOL_ account sign-ins from non-Entra-Connect IPs in the Entra ID sign-in logs; new service accounts or applications added to Entra ID by the MSOL_ account; changes to the sync scope or filtering rules (appears in Entra ID audit log as 'UpdateConfiguration'); the ADSync service account password changed unexpectedly; new Global Admin or Hybrid Identity Admin accounts appearing in Entra ID that were not provisioned through the normal process. Alert on in Microsoft Sentinel or Defender XDR: all actions by the MSOL_ account, all Entra ID role assignments made by Entra Connect service accounts, and all sign-ins to the Entra Connect server console (Event ID 4624 with logon type 10 or 11).
The bottom line
The Entra Connect server is the weakest link in most hybrid identity environments not because the technology is weak but because organizations treat it as a standard application server. Move it to Tier 0, treat the MSOL_ and AD DS Connector accounts as privileged accounts, restrict network access to only what sync requires, and monitor every unusual action from both service accounts. A compromise of this server is equivalent to a domain compromise plus a tenant takeover.
Frequently asked questions
Should I deploy Entra Connect on a domain controller?
No, and Microsoft explicitly recommends against it. Deploying Entra Connect on a DC means a compromise of the sync service compromises the DC directly, and a compromise of the DC provides direct access to the sync service and its credentials. The Entra Connect server should be a dedicated member server in the Tier 0 security boundary but not a DC.
What is the difference between Password Hash Sync, Pass-Through Authentication, and federation with AD FS?
PHS copies a derived hash of each on-premises password to Entra ID. Authentication happens in the cloud without on-premises infrastructure dependency. PTA installs on-premises authentication agents that receive cloud authentication requests and validate credentials against on-premises AD in real time. AD FS is a full federation solution where on-premises AD FS servers issue tokens for cloud authentication. PHS is the most resilient (cloud auth works even if on-premises is down) and has the simplest architecture. PTA requires on-premises PTA agents for cloud sign-in to work. AD FS is most complex and rarely needed for new deployments.
What happens to Entra ID if Entra Connect goes offline?
Existing users continue to authenticate normally -- Entra ID has its own credential store (in PHS mode). No new users synced from on-premises AD will appear in Entra ID until sync resumes. Password changes made on-premises while sync is offline will not reach Entra ID until sync catches up after reconnection. Entra Connect has a built-in 30-minute retry cycle -- short outages self-resolve. For extended outages, deploy Entra Connect in staging mode on a second server, which can be promoted to active sync if the primary server fails.
How do I audit who has access to the Entra Connect server?
Run Get-LocalGroupMember Administrators on the Entra Connect server to see local admins. Check the OU GPO for 'Allow log on locally' and 'Allow log on through Remote Desktop Services' restricted groups settings. Check Active Directory for any group that has delegation or GenericAll on the Entra Connect computer object -- those accounts could potentially modify the computer object and could be used for indirect access. Review Windows Security event logs for Event ID 4624 (logon) to see all interactive and network logons to the server over the past 30 days.
What is the AD Connect service account and why is it a high-value target?
During Entra Connect (AD Connect) setup, a service account is created in on-premises AD with specific permissions required for synchronization. The permissions include reading and writing various AD attributes and, in environments using password hash sync or write-back features, additional rights including permission to read password hashes. An attacker who compromises the Entra Connect service account can potentially execute a DCSync-like operation against the AD attributes it can read. Treat the Entra Connect service account as Tier 0 (same privilege tier as Domain Admins): ensure it is in the Protected Users group if possible, audit its logon events, and restrict which systems it can authenticate from.
How do I harden the Entra Connect server against lateral movement and privilege escalation?
The Entra Connect server is effectively a Tier 0 asset even if not labeled as one: compromise of this server can lead to full domain or cloud tenant compromise. Hardening checklist: join it to a separate restricted OU with a dedicated GPO (not the general server OU), restrict local administrators to a dedicated Entra Connect admin account and break-glass accounts only (no general IT admins), disable unnecessary services (print spooler, unnecessary scheduled tasks), enforce the Windows Security Baseline via GPO, restrict network access using Windows Firewall to only allow traffic to Active Directory (Kerberos, LDAP), the Azure service endpoints Entra Connect requires, and management sources. Enable Enhanced Security Admin Environment (ESAE) or Privileged Access Workstation (PAW) requirements for any interactive access. Monitor the server's outbound connections: Entra Connect makes authenticated HTTPS connections to Microsoft's graph and authentication endpoints -- any outbound connection to an unexpected destination is a high-fidelity alert. Never install any other software on the Entra Connect server.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
