Entra Connect Attacker Tradecraft: Part 3

This writeup demonstrates how an attacker who compromises an Entra Connect sync account (or otherwise can modify device userCertificate attributes) can inject certificates into any device object in a tenant, complete device registration, and obtain device authentication material. Using these forged device identities an attacker can bypass conditional access policies, impersonate devices to acquire Intune MDM and PKCS certificates, and potentially use those certificates to authenticate to on‑premises resources and compromise separate domains within the same tenant.