[New Check]: Microsoft Entra directory sync must block object takeover (soft- and hard-matching) · prowler-cloud/prowler#11068

2026-05-06T14:13:24.000Z

### Existing check search - [x] I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist. ### Provider Microsoft 365 ### New provider name _No response_ ### Service or product area entra ### Suggested check name `entra_directory_sync_object_takeover_blocked` ### Context and goal - **Security condition to validate:** When the tenant has on-premises directory synchronization enabled, the tenant must block the two synchronization paths that allow an on-premises object to take over an existing cloud object — both `features.blockSoftMatchEnabled` and `features.blockCloudObjectTakeoverThroughHardMatchEnabled` on `onPremisesDirectorySynchronization` must be `true`. - **Why it matters:** When an on-premises synchronized object reaches Microsoft Entra ID, the sync engine can attach it to an existing cloud object via two matching modes — one based on `userPrincipalName` or primary SMTP address, and one based on `ImmutableID` / source anchor. An attacker (or a careless operator) able to write to on-premises Active Directory can craft an object that matches a privileged cloud account, e.g. a Global Administrator, and effectively take it over. Microsoft documents this as one of the highest-impact hybrid identity attack paths and ships the two block flags specifically to neutralise it. Operators are expected to keep both blocks on permanently outside time-boxed migrations; this check enforces that. - **Resource involved:** Microsoft Entra `onPremisesDirectorySynchronization` resource and its `features` collection. ### Expected behavior - **Resource or scope to evaluate:** The single `onPremisesDirectorySynchronization` object for the tenant — `GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization`. Read `features.blockSoftMatchEnabled` and `features.blockCloudObjectTakeoverThroughHardMatchEnabled`. - **PASS when:** both `features.blockSoftMatchEnabled = true` AND `features.blockCloudObjectTakeoverThroughHardMatchEnabled = true`. - **FAIL when:** either flag is `false`. The finding should report which flag(s) are off. - **MANUAL when:** the calling identity does not have permission to read `onPremisesDirectorySynchronization` (Graph returns 403). Mark MANUAL with a status message asking the operator to grant the required scope and re-run. - **Exclusions / edge cases:** - **Skip when on-premises sync is not configured.** Read the tenant's `organization.onPremisesSyncEnabled` first; if `false` (cloud-only tenant), the check does not apply — emit MANUAL or skip with a clear status message rather than FAIL on a missing `onPremisesSynchronization` object. - Do not treat a transient 5xx / throttling response as a FAIL — only a definitive `false` value counts. ### References - Microsoft Graph v1.0 — `onPremisesDirectorySynchronization` resource: https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronization?view=graph-rest-1.0 - Microsoft Graph v1.0 — `onPremisesDirectorySynchronizationFeature` (`blockSoftMatchEnabled`, `blockCloudObjectTakeoverThroughHardMatchEnabled`): https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronizationfeature?view=graph-rest-1.0 - Microsoft Entra Connect Sync — sync service features (soft match / hard match guidance): https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features ### Suggested severity Medium ### Additional implementation notes - **Existing patterns to follow:** Sibling checks `entra_password_hash_sync_enabled` and `entra_seamless_sso_disabled` already inspect on-premises directory synchronization state; they live under `prowler/providers/m365/services/entra/`. Reuse the same loading pattern in `entra_service.py` and add the two `features.*` booleans to the existing `OnPremisesDirectorySynchronization` model (or introduce one if it does not yet expose `features`). - **Permissions / scopes:** No additional permissions beyond Prowler's M365 baseline. `Directory.Read.All` already grants reads against `onPremisesSynchronization` and `organization`. The optional alternative `OnPremDirectorySynchronization.Read.All` (used by `entra_seamless_sso_disabled`) also covers this surface. - **PowerShell is NOT needed**; the check uses Microsoft Graph v1.0 only. - **Related checks (do NOT duplicate):** `entra_password_hash_sync_enabled` (PHS) and `entra_seamless_sso_disabled` audit different `onPremisesSynchronization` features; this check is additive and should not interfere with them. - **Metadata:** follow the M365 metadata schema used by sibling checks under `entra/`.

(0 comments) (0 reactions) (0 assignees)Python (8,957 stars) (1,322 forks)batch import

feature-requestgood first issuenew-checkprovider/m365

Description

Existing check search

I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

Microsoft 365

New provider name

No response

Service or product area

entra

Suggested check name

entra_directory_sync_object_takeover_blocked

Context and goal

Security condition to validate: When the tenant has on-premises directory synchronization enabled, the tenant must block the two synchronization paths that allow an on-premises object to take over an existing cloud object — both features.blockSoftMatchEnabled and features.blockCloudObjectTakeoverThroughHardMatchEnabled on onPremisesDirectorySynchronization must be true.
Why it matters: When an on-premises synchronized object reaches Microsoft Entra ID, the sync engine can attach it to an existing cloud object via two matching modes — one based on userPrincipalName or primary SMTP address, and one based on ImmutableID / source anchor. An attacker (or a careless operator) able to write to on-premises Active Directory can craft an object that matches a privileged cloud account, e.g. a Global Administrator, and effectively take it over. Microsoft documents this as one of the highest-impact hybrid identity attack paths and ships the two block flags specifically to neutralise it. Operators are expected to keep both blocks on permanently outside time-boxed migrations; this check enforces that.
Resource involved: Microsoft Entra onPremisesDirectorySynchronization resource and its features collection.

Expected behavior

Resource or scope to evaluate: The single onPremisesDirectorySynchronization object for the tenant — GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization. Read features.blockSoftMatchEnabled and features.blockCloudObjectTakeoverThroughHardMatchEnabled.
PASS when: both features.blockSoftMatchEnabled = true AND features.blockCloudObjectTakeoverThroughHardMatchEnabled = true.
FAIL when: either flag is false. The finding should report which flag(s) are off.
MANUAL when: the calling identity does not have permission to read onPremisesDirectorySynchronization (Graph returns 403). Mark MANUAL with a status message asking the operator to grant the required scope and re-run.
Exclusions / edge cases:
- Skip when on-premises sync is not configured. Read the tenant's organization.onPremisesSyncEnabled first; if false (cloud-only tenant), the check does not apply — emit MANUAL or skip with a clear status message rather than FAIL on a missing onPremisesSynchronization object.
- Do not treat a transient 5xx / throttling response as a FAIL — only a definitive false value counts.

References

Microsoft Graph v1.0 — onPremisesDirectorySynchronization resource: https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronization?view=graph-rest-1.0
Microsoft Graph v1.0 — onPremisesDirectorySynchronizationFeature (blockSoftMatchEnabled, blockCloudObjectTakeoverThroughHardMatchEnabled): https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronizationfeature?view=graph-rest-1.0
Microsoft Entra Connect Sync — sync service features (soft match / hard match guidance): https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features

Suggested severity

Medium

Additional implementation notes

Existing patterns to follow: Sibling checks entra_password_hash_sync_enabled and entra_seamless_sso_disabled already inspect on-premises directory synchronization state; they live under prowler/providers/m365/services/entra/. Reuse the same loading pattern in entra_service.py and add the two features.* booleans to the existing OnPremisesDirectorySynchronization model (or introduce one if it does not yet expose features).
Permissions / scopes: No additional permissions beyond Prowler's M365 baseline. Directory.Read.All already grants reads against onPremisesSynchronization and organization. The optional alternative OnPremDirectorySynchronization.Read.All (used by entra_seamless_sso_disabled) also covers this surface.
PowerShell is NOT needed; the check uses Microsoft Graph v1.0 only.
Related checks (do NOT duplicate): entra_password_hash_sync_enabled (PHS) and entra_seamless_sso_disabled audit different onPremisesSynchronization features; this check is additive and should not interfere with them.
Metadata: follow the M365 metadata schema used by sibling checks under entra/.

Contributor guide

Tech stack: python
Domain: securitybackend
Issue type: feature
Difficulty: 3
Estimated time: half day
Activity status: fresh
Clarity: clear
Prerequisites: PythonMicrosoft Graph APIProwler codebase
Newbie friendliness: 60
Research direction: Start by examining the existing checks `entra password hash sync enabled` and `entra seamless sso disabled` under `prowler/providers/m365/services/entra/`. Understand the pattern used to load `OnPremisesDirectorySynchronization` data in `entra service.py`. Add the two feature flags (`blockSoftMatchEnabled` and `blockCloudObjectTakeoverThroughHardMatchEnabled`) to the model and implement the check logic following the expected behavior described in the issue. Use the Microsoft Graph v1.0 endpoint `GET /directory/onPremisesSynchronization`. Consult the linked Microsoft documentation for precise attribute names and permissions.