Existing check search
Provider
Microsoft 365
New provider name
No response
Service or product area
entra
Suggested check name
entra_directory_sync_object_takeover_blocked
Context and goal
- Security condition to validate: When the tenant has on-premises directory synchronization enabled, the tenant must block the two synchronization paths that allow an on-premises object to take over an existing cloud object — both
features.blockSoftMatchEnabled and features.blockCloudObjectTakeoverThroughHardMatchEnabled on onPremisesDirectorySynchronization must be true.
- Why it matters: When an on-premises synchronized object reaches Microsoft Entra ID, the sync engine can attach it to an existing cloud object via two matching modes — one based on
userPrincipalName or primary SMTP address, and one based on ImmutableID / source anchor. An attacker (or a careless operator) able to write to on-premises Active Directory can craft an object that matches a privileged cloud account, e.g. a Global Administrator, and effectively take it over. Microsoft documents this as one of the highest-impact hybrid identity attack paths and ships the two block flags specifically to neutralise it. Operators are expected to keep both blocks on permanently outside time-boxed migrations; this check enforces that.
- Resource involved: Microsoft Entra
onPremisesDirectorySynchronization resource and its features collection.
Expected behavior
- Resource or scope to evaluate: The single
onPremisesDirectorySynchronization object for the tenant — GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization. Read features.blockSoftMatchEnabled and features.blockCloudObjectTakeoverThroughHardMatchEnabled.
- PASS when: both
features.blockSoftMatchEnabled = true AND features.blockCloudObjectTakeoverThroughHardMatchEnabled = true.
- FAIL when: either flag is
false. The finding should report which flag(s) are off.
- MANUAL when: the calling identity does not have permission to read
onPremisesDirectorySynchronization (Graph returns 403). Mark MANUAL with a status message asking the operator to grant the required scope and re-run.
- Exclusions / edge cases:
- Skip when on-premises sync is not configured. Read the tenant's
organization.onPremisesSyncEnabled first; if false (cloud-only tenant), the check does not apply — emit MANUAL or skip with a clear status message rather than FAIL on a missing onPremisesSynchronization object.
- Do not treat a transient 5xx / throttling response as a FAIL — only a definitive
false value counts.
References
Suggested severity
Medium
Additional implementation notes
- Existing patterns to follow: Sibling checks
entra_password_hash_sync_enabled and entra_seamless_sso_disabled already inspect on-premises directory synchronization state; they live under prowler/providers/m365/services/entra/. Reuse the same loading pattern in entra_service.py and add the two features.* booleans to the existing OnPremisesDirectorySynchronization model (or introduce one if it does not yet expose features).
- Permissions / scopes: No additional permissions beyond Prowler's M365 baseline.
Directory.Read.All already grants reads against onPremisesSynchronization and organization. The optional alternative OnPremDirectorySynchronization.Read.All (used by entra_seamless_sso_disabled) also covers this surface.
- PowerShell is NOT needed; the check uses Microsoft Graph v1.0 only.
- Related checks (do NOT duplicate):
entra_password_hash_sync_enabled (PHS) and entra_seamless_sso_disabled audit different onPremisesSynchronization features; this check is additive and should not interfere with them.
- Metadata: follow the M365 metadata schema used by sibling checks under
entra/.
Existing check search
Provider
Microsoft 365
New provider name
No response
Service or product area
entra
Suggested check name
entra_directory_sync_object_takeover_blockedContext and goal
features.blockSoftMatchEnabledandfeatures.blockCloudObjectTakeoverThroughHardMatchEnabledononPremisesDirectorySynchronizationmust betrue.userPrincipalNameor primary SMTP address, and one based onImmutableID/ source anchor. An attacker (or a careless operator) able to write to on-premises Active Directory can craft an object that matches a privileged cloud account, e.g. a Global Administrator, and effectively take it over. Microsoft documents this as one of the highest-impact hybrid identity attack paths and ships the two block flags specifically to neutralise it. Operators are expected to keep both blocks on permanently outside time-boxed migrations; this check enforces that.onPremisesDirectorySynchronizationresource and itsfeaturescollection.Expected behavior
onPremisesDirectorySynchronizationobject for the tenant —GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization. Readfeatures.blockSoftMatchEnabledandfeatures.blockCloudObjectTakeoverThroughHardMatchEnabled.features.blockSoftMatchEnabled = trueANDfeatures.blockCloudObjectTakeoverThroughHardMatchEnabled = true.false. The finding should report which flag(s) are off.onPremisesDirectorySynchronization(Graph returns 403). Mark MANUAL with a status message asking the operator to grant the required scope and re-run.organization.onPremisesSyncEnabledfirst; iffalse(cloud-only tenant), the check does not apply — emit MANUAL or skip with a clear status message rather than FAIL on a missingonPremisesSynchronizationobject.falsevalue counts.References
onPremisesDirectorySynchronizationresource: https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronization?view=graph-rest-1.0onPremisesDirectorySynchronizationFeature(blockSoftMatchEnabled,blockCloudObjectTakeoverThroughHardMatchEnabled): https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronizationfeature?view=graph-rest-1.0Suggested severity
Medium
Additional implementation notes
entra_password_hash_sync_enabledandentra_seamless_sso_disabledalready inspect on-premises directory synchronization state; they live underprowler/providers/m365/services/entra/. Reuse the same loading pattern inentra_service.pyand add the twofeatures.*booleans to the existingOnPremisesDirectorySynchronizationmodel (or introduce one if it does not yet exposefeatures).Directory.Read.Allalready grants reads againstonPremisesSynchronizationandorganization. The optional alternativeOnPremDirectorySynchronization.Read.All(used byentra_seamless_sso_disabled) also covers this surface.entra_password_hash_sync_enabled(PHS) andentra_seamless_sso_disabledaudit differentonPremisesSynchronizationfeatures; this check is additive and should not interfere with them.entra/.