Unveiling Authentication Bypass in Active Directory and Entra ID Environments

At the recent Black Hat USA 2025 event, security researcher Dirk-jan Mollema of Outsider Security presented a critical analysis of a new authentication bypass technique affecting hybrid Active Directory (AD) and Entra ID environments. His findings highlight a significant vulnerability that could allow low-privilege cloud accounts to be escalated to hybrid admins, bypassing existing API controls without detection.

Mollema's research addresses a long-standing question about the security boundary between AD and Entra ID. As threat actors, including advanced persistent threats (APTs), increasingly leverage lateral movement to compromise cloud environments from on-premises systems, the need for robust security has never been more critical. Mollema’s work demonstrates that in certain hybrid configurations, the trust relationship between on-premises and cloud environments can be exploited.

In a live demonstration, Mollema illustrated how a simple, low-privilege cloud account could be weaponised. He showed how to convert such an account into a hybrid user, granting him administrative rights without triggering any security alarms. He also detailed a method for modifying internal API policies to bypass access enforcement controls, further exposing the potential for a complete security breach.

The vulnerabilities extend beyond simple privilege escalation. By exploiting hybrid configurations with Microsoft Exchange, an attacker can impersonate virtually any Exchange mailbox. This level of access grants the attacker a trove of sensitive data, including emails, documents, and attachments, which can be devastating for an organisation.

Microsoft has acknowledged these flaws and has been working to mitigate the risks. Patches have been issued to strengthen security for global administrators and remove certain API permissions from synchronised accounts. However, a complete resolution is pending the separation of Microsoft’s hybrid Exchange and Entra ID services, which is scheduled for October 2025.

In the interim, organisations are advised to take a proactive stance. Microsoft Exchange users can reduce their risk by implementing several key security measures. These include auditing all synchronisation servers, enabling hardware key storage, monitoring for unusual API calls, and rotating single sign-on (SSO) keys regularly. Furthermore, organisations should enforce a least-privilege access policy and enable hybrid application splitting within Microsoft Exchange.

The message from Mollema is clear: hybrid environments are only as secure as their weakest link. Until Microsoft finalises its service separation, continuous server log auditing, proactive API monitoring, and vigilant enforcement of least-privilege policies are the best defenses. Security in the hybrid era is not just about waiting for the next patch; it’s about staying one step ahead of attackers and maintaining constant vigilance.