Password Writeback Vulnerability in Azure AD Connect Explained

Microsoft has published a security advisory for Azure AD Connect, indicating that under some circumstances, there is a vulnerability in AD Connect’s password writeback feature. Password writeback is the optional feature which lets users reset their passwords in Azure AD (which, of course, is the directory behind Office365 among many other things) and then have this new “cloud” password written back into their on-premises Active Directory.

How the password writeback feature works

In order to perform this writeback, the service account used in the connector to Active Directory needs to have permissions to set passwords for the users in AD. If the service accounts can also set passwords for privileged users (which is not a secure configuration) it would, in principle, mean that a malicious user who is an administrator in Azure AD could reset a password in the cloud for a privileged user, and then, because the password is written back to on-premises AD, they would also know the on-premises password for that user, and would therefore be in a position to access, and further compromise, the on-premises environment.

Several conditions are required for this attack to be successful:

  • Password writeback must be enabled
  • Privileged accounts must be synchronized to Azure AD
  • The AD Connector service account must have permissions to set passwords for one or more of these privileged accounts
  • The attacker must gain access to an administrator account for Azure AD

Mitigating this vulnerability is not especially hard, particularly if attention is already being paid (as it should be!) to privileged accounts. Ideally, you should upgrade to the latest version of Azure AD Connect (1.1.553.0) which does not allow password writeback for “privileged accounts” if the user performing the reset in Azure AD is not the cloud user “connected” to the on-premises account.

Two definitions are required here: a “privileged account” is one whose adminCount attribute is non-NULL and non-zero (which is the case for users who are, or have ever been, members of a privileged group as defined here); and the “connected” user is the one who has a join with the same Azure AD Connect Metaverse object as the user whose password is being reset.

If you cannot upgrade, you should make sure that the AD Connector service account does not have permissions to set passwords for privileged users. Details are in this TechNet article.

For more information, and for assistance in performing any of the upgrade or analysis tasks mentioned in this and the linked articles, please email us.

Further reading