
On 1 June 2026, Microsoft blocked an attack technique that allowed adversaries with limited AD permissions to seize full control over privileged Entra ID accounts. Known as SyncJacking, the technique abused the hard-match mechanism in Entra Connect Sync. What exactly changed, what remains unpatched, and which steps should your IT team take now?
Most organisations combining on-premises Active Directory with Microsoft Entra ID run Entra Connect Sync or Cloud Sync to synchronise users between both environments. This is a proven approach, but in January 2026, security researchers published an attack technique demonstrating that the synchronisation mechanism itself can be weaponised. Microsoft confirmed the vulnerability and classified it as an 'Important' privilege escalation issue. On 1 June 2026, a platform-level block went live.
The attack is known as SyncJacking. It exploits the hard-match capability in Entra Connect to transfer ownership of a privileged cloud account to Active Directory. The result: an attacker with relatively limited rights in AD can fully sign in as a Global Administrator in Entra ID. This article explains how the attack works, what Microsoft has blocked, what remains unpatched, and what your IT team must concretely do.
Hard matching is a legitimate technique used by organisations during migrations. When a cloud-only Entra ID account needs to be linked to an existing on-premises AD account, Entra Connect can perform a hard match. This works by setting the sourceAnchor attribute (also known as the onPremisesImmutableId) on the AD user object to match the corresponding attribute of the cloud account. After the match, the Source of Authority for that account shifts: no longer Entra ID in the cloud, but Active Directory on-premises governs what happens to that account.
The attack begins when a malicious actor has write access to an AD user object. Domain Admin permissions are not required — relatively limited AD rights suffice. By manipulating the correct attribute on an arbitrary AD object, the attacker triggers a hard match to an existing privileged cloud account, such as a Global Administrator or Privileged Role Administrator. Once the Source of Authority has shifted, the attacker can synchronise the password hash of the AD account into Entra ID. The result: the attacker signs in as that administrator. The attack leaves almost no trace in AD logs and only minimal traces in Entra ID logs, making detection difficult.
From 1 June 2026, Microsoft Entra ID refuses every attempt by Entra Connect Sync or Cloud Sync to shift the Source of Authority via a hard match from a cloud-managed account to Active Directory, if that cloud account has an Entra ID role assigned. The block covers all Entra roles, from Global Administrator down to specific roles such as Teams Administrator or Compliance Administrator.
What the block does not do: hard matches for cloud users without Entra roles still work normally. Soft matching — where Entra Connect links users based on email address or UPN without explicit sourceAnchor manipulation — is unaffected. And existing hard-matched users who were already synchronised before 1 June 2026 continue to sync as before. The protection applies exclusively to new hard-match attempts targeting role-bearing accounts.
For organisations planning legitimate migrations where cloud accounts with Entra roles need to be linked to on-premises users, the procedure now includes an extra step: first remove all Entra roles from the cloud account, complete the synchronisation and hard match, then reassign the roles. Do not discover this requirement mid-cutover window. Update your migration runbooks now.
Microsoft's block is a welcome and concrete step, but it does not resolve everything. Three relevant risks remain. First: accounts already compromised via SyncJacking before 1 June 2026 are not reversed by the block. An attacker who applied the technique before the cutoff retains Source of Authority and the associated control. Actively verify whether any unexpected Source of Authority changes occurred in the period before 1 June.
Second, the block only protects cloud-managed accounts with Entra roles. Accounts whose Source of Authority is already Active Directory fall outside the protection of this specific measure. If an attacker has write access to such a synchronised account in AD and Password Hash Sync is enabled, they can manipulate the password hash without the new block applying. This is a broader AD security issue separate from SyncJacking. Third, older versions of Entra Connect have independent vulnerabilities distinct from this platform-level fix. Keeping Entra Connect up to date is a separate, ongoing management task outside the scope of this platform fix.
First, inventory your privileged accounts. In the Entra portal under Roles and administrators, verify which users holding privileged roles are synchronised accounts versus cloud-only accounts. A synchronised Global Administrator is inherently more exposed than a cloud-only admin, because Active Directory always remains an attack surface.
Second, migrate admin accounts to cloud-only. The strongest hardening is ensuring that all privileged Entra ID accounts exist exclusively in the cloud — not synchronised from AD. Cloud-only admin accounts are fully out of reach of Active Directory attacks, including all variants of synchronisation abuse. This requires a deliberate migration step, but it is the most structural solution available.
Third, update your Entra Connect Sync and Cloud Sync. The platform-level block is built server-side by Microsoft, but older Entra Connect versions have independent vulnerabilities. Check which version you are running and ensure you are at minimum on the most recent supported release. Microsoft actively supports only the two most recent versions.
Fourth, update your migration runbooks. If you have planned migrations where cloud users with Entra roles are to be synchronised, the sequence is now: remove roles, synchronise, reassign roles. Document this in your standard procedures so that operational teams follow the right steps without needing a specific reminder.
Fifth, enforce phish-resistant MFA for all synchronised users. SyncJacking concludes with a sign-in using a synchronised password hash. Phish-resistant MFA — such as FIDO2 keys, passkeys, or Windows Hello for Business — makes that second factor impossible to bypass via a password hash alone. This is the most effective additional defensive layer for hybrid environments as long as synchronised accounts exist.
SyncJacking is a well-documented example of a fundamental tension in hybrid identity architectures. As long as Active Directory and Entra ID are synchronised, the weaker of the two sets the ceiling for overall security. A well-secured Entra environment with Conditional Access, MFA, and Privileged Identity Management loses its value if an attacker can take over account Source of Authority through AD write access.
The direction Microsoft is signalling is clear: privileged cloud identities should operate outside the reach of AD. The June 2026 platform block is a concrete step in that direction. Want help assessing your hybrid identity setup, migrating admin accounts to cloud-only, or strengthening your Entra Connect configuration? Contact Zarioh for a no-obligation conversation.
Zarioh Digital Solutions
IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Security

Security

Security