Security researcher Dirk-jan Mollema demonstrated methods for bypassing authentication in hybrid Active Directory (AD) and Entra ID environments at the Black Hat conference in Las Vegas. The techniques could let attackers impersonate any synced hybrid user, including privileged accounts, without triggering alerts.

Mollema demonstrated how a low-privilege cloud account can be converted into a hybrid user, granting administrative rights. He also demonstrated ways to modify internal API policies, bypass enforcement controls, and impersonate Exchange mailboxes to access emails, documents, and attachments.

Microsoft has addressed some issues by hardening global administrator security and removing specific API permissions from synchronised accounts. However, a complete fix is expected only in October 2025, when hybrid Exchange and Entra ID services will be separated.

Until then, Microsoft recommends auditing synchronisation servers, using hardware key storage, monitoring unusual API calls, enabling hybrid application splitting, rotating SSO keys, and limiting user permissions.

Experts say hybrid environments remain vulnerable if the weakest link is exploited, making proactive monitoring and least-privilege policies critical to defending against these threats.