> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SyncedToADUser

> The Entra user is synchronized to the on-prem AD user.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The Entra user may be able to authenticate as the on-prem AD user with its own password if password write-back is enabled. The Entra user may already have the same password as the on-prem user if password hash synchronization is enabled.

## Abuse Info

An attacker may authenticate as the on-prem AD user using the Entra user’s credentials, for example by key-logging the user’s password, or by changing the Entra user’s password and waiting for the password write-back operation to complete.

## Opsec Considerations

The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password write-back operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry indicating the Entra user’s password was changed.

## Edge Schema

Source: [AZUser](/resources/nodes/az-user)\
Destination: [User](/resources/nodes/user)\
Traversable: **Yes**

## References

* [Concept SSPR WriteBack](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback)
* [Hybrid Attack Paths: New Views and Your Favorite Dog Learns an Old Trick](https://specterops.io/blog/2024/08/02/hybrid-attack-paths-new-views-and-your-favorite-dog-learns-an-old-trick/)