Introduction: A Major Shift in Hybrid Identity
For a decade, organizations have used Azure AD Sync and Azure AD Connect (now called Microsoft Entra Connect Sync) to synchronize objects and attributes from Active Directory to Microsoft Entra ID. It has become the standard building block for Hybrid Identity, and it has just gotten a major overhaul in the way it connects to Entra. It’s a game-changer!
Hybrid Identity remains critical for organizations that run on-premises Active Directory alongside Microsoft 365 and cloud workloads. Without proper synchronization, identity silos can create security gaps, admin overhead, and user friction.
What is Microsoft Entra Connect Sync?
Entra Connect Sync is Microsoft’s free tool to synchronize on-premises Active Directory with Microsoft Entra ID. This tool is a core component of Hybrid Identity and widely used in enterprise IT environments.
It needs to be installed on top of Windows Server and comes with a SQL Server Express database to store its synchronization data.
In contrast to Entra Connect Sync, Entra Connect Cloud Sync is a cloud-based service that offers the same functionality.
Cloud Sync is lightweight and easier to maintain but lacks the advanced customization and scale that on-premises Entra Connect Sync supports. Most large enterprises continue to rely on Connect Sync for granular attribute filtering and hybrid Exchange coexistence.
How Entra Connect Sync Authenticates with Entra ID
The Legacy Account-Based Authentication Model
For a decade, Entra Connect Sync used a dedicated service account in Entra ID to authenticate. This account was unique because:
- It was created automatically and is assigned the Directory Synchronization Accounts role.
- You couldn’t delete it through the GUI.
- Its Entra attributes indicated it was synced from Active Directory, but there was no corresponding account in Active Directory that existed.
The way Entra Connect authenticates with Entra has been a thorn in my side for years. Not in the least because when you scope Conditional Access rules too broadly, you may negatively impact the authentications made by Entra Connect Sync, stop synchronization, and (in most larger organizations) have a security incident on your hands.
Additionally, this account-based model introduced credential storage risks and was a common target for privilege escalation attacks, making it a frequent concern in security audits.
What’s New in Entra Connect Sync (July 2025 Update)
In version 2.5.76.0 (released on July 31st) the Entra Connect version release history document says:
Application-based authentication to Microsoft Entra ID is now generally available and will be the default option.
Entra Connect versions 2.5.3.0, earlier versions of Entra Connect, and existing installations of Entra Connect Sync, based on these versions, continue to use the account-based authentication model until:
- These installations are transitioned to new Entra Connect Sync installations, or;
- Microsoft automatically switches all installations using account-based authentication over to application-based authentication at a future date.
The differences between the new application-based authentication and the older account-based authentication model are big.
This shift reflects Microsoft’s larger identity roadmap, moving organizations toward passwordless authentication, workload identities, and zero trust models across Microsoft Entra.
Comparison: Application-Based vs. Account-Based Authentication
|
|
Application-based authentication
|
Account-based authentication
|
|
Sign-in method
|
Non-interactive
|
Interactive
|
|
Permissions
|
Granular Graph API permissions
|
Directory Synchronization Accounts Role
|
|
Authentication method
|
Certificate-based
|
Password-based
|
|
Authentication method updating
|
Automatic
|
Manual
|
|
In scope for Conditional Access policies
|
Only if targeting using the Workload Identity Premium license
|
Yes
|
Why Application-Based Authentication is a Game-Changer
This is a game-changer in a couple of ways:
Benefit #1: Automatic Secret & Certificate Management
I have yet to meet an admin who diligently updates the Entra Connector account password every 6 months. The certificate schema for application-based authentication actually rotates the certificate when you choose to have Entra Connect Sync use its own certificate. Note: You can use your own certificates when you use the ‘Bring Your Own Certificate’ (BYOC) method.
It also means that Entra Connect Sync no longer stores a username and password in its database, where adversaries can gain access to them. Its certificate is nicely tied to the (v)TPM chip, so it can only be used on that (virtual) machine.
This eliminates the need for manual password rotation and reduces risks from stored credentials.
Benefit #2: Modern OAuth 2.0 Authentication
Application-based authentication uses OAuth 2.0 client credential flows.
It now uses an Enterprise Application (ServicePrincipal) in Entra to authenticate, instead of interactive sign-ins with a username and password.
This also means that clumsily engineered Conditional Access rules targeting interactive sign-ins no longer hinder new Entra Connect Sync installations.
Admins can:
- Use the default ServicePrincipal added by Entra Connect Sync.
- Or bring their own with the Bring Your Own Application (BYOA) method.
For IT and security teams, this translates to lower operational overhead, fewer outages from misconfigured policies, and stronger alignment with compliance requirements.
Risks and Limitations of Application-Based Authentication
Does this sound too good to be true?
It almost does, doesn’t it?
The challenge with Enterprise Applications is that the average Entra admin has a limited understanding of Enterprise Applications, Application Registrations, and Application policies. The reality is that most organizations also lack Workload Identity Premium licenses. Without at least one Workload Identity Premium license, organizations cannot restrict Entra Connect Sync authentications via Conditional Access.
On top of that, Microsoft doesn’t have the best track record when it comes to fully understanding applications in Entra. Case in point: the way Midnight Blizzard breached Microsoft (twice) and how Microsoft fumbled the Hybrid Exchange configuration.
Adversaries may exploit weakly managed Enterprise Applications or default ServicePrincipals if BYOA/BYOC methods are not enforced. With Entra Connect Sync’s ServicePrincipals holding elevated API permissions, mismanagement can quickly become an attacker’s opportunity.
These risks highlight the importance of Entra ID Application Governance, an area where many organizations continue to struggle.
I have a few predictions for how application-based authentication will evolve…
Conditional Access Impact
Many organizations leverage Conditional Access to limit service accounts from accessing resources from outside their datacenter locations (as determined by its egress IP address). Application-based authentication removes the impact of typical Conditional Access policies, thus no longer limiting accounts with the Directory synchronization account role from signing in from other locations than the organization’s datacenter location.
Without at least one workload identity premium license, an organization has no technical means to limit authentications from Entra Connect Sync installations.
Adversary Reconnaissance Risks
In the reconnaissance phase of a threat, adversaries will stumble upon ServicePrincipals and certificates that are managed by Entra Connect Sync, as we can all expect that only a small percentage of Entra admins choose the BYOA or BYOC model.
With Entra Connect Sync’s specific scopeID and no application policies configured, adversaries can simply add a secret to the application and abuse the application and its API permissions.
Microsoft’s Track Record
Microsoft doesn’t always get application security right. Typically, Entra application configurations don’t change much over time, but over time vendors may want to change them to adhere to the principle of least administrative privilege. They might, for instance, want to use the newer User.BasicRead.All permissions instead of the broader User.Read.All permission. Surely, secrets and certificates are renewed, but vendors have a hard time having Entra admins adopt fewer API permissions due to various reasons. What if Microsoft wants to lessen API Permissions over time?
Early Azure AD Connect versions allowed for an account that was a member of the Domain Admins group to be used as the Active Directory Connector account. Recent versions no longer allow that, which prompted Entra Connect Sync admins to use a lesser privileged service account. This is Microsoft’s first attempt at using a ServicePrincipal with Entra Connect Sync. How sure are we that Microsoft got it right?
Why Entra Application Governance is Critical
Microsoft Entra applications, especially high-privileged ones like Entra Connect Sync ServicePrincipals, are often misunderstood and under-governed.
Best practice frameworks such as NIST 800-63 and CIS controls recommend ongoing monitoring of high-privileged apps, making governance not just a Microsoft concern, but an industry-standard requirement.
ENow Software has focused on Entra Application Governance since 2023.
Understanding and governing high-privilege applications like the ones for Entra Connect Sync is now essential for identity and access management.
Conclusion: Preparing for the Future of Hybrid Identity
Microsoft is moving all Entra Connect Sync installations toward application-based authentication.
✅ Benefits: stronger security, automatic credential rotation, modern OAuth.
⚠️ Risks: Conditional Access gaps, ServicePrincipal abuse, and governance blind spots.
As Microsoft accelerates its Entra ID modernization strategy, organizations that lag in adopting governance controls risk falling behind in security posture, compliance readiness, and cloud transformation.
Organizations that invest in application governance will be best positioned to embrace this shift securely.
👉 Start by exploring AppGovScore and ENow’s App Governance Accelerator.
