MT.1147 - Do not sync krbtgt_AzureAD to Entra ID
Overviewā
Ensure krbtgt_AzureAD is not synchronized from on-premises Active Directory.
The krbtgt_AzureAD account is a sensitive identity used by Microsoft's cloud services for Microsoft Entra Kerberos scenarios. Microsoft recommends keeping a clear separation between cloud and on-premises environments and not synchronizing this account to Entra ID. Synchronizing an on-premises krbtgt_AzureAD account creates an unnecessary privilege escalation path between the environments.
Remediation action:ā
- Review your Microsoft Entra Connect synchronization scope and identify the on-premises krbtgt_AzureAD account.
- Exclude that account from synchronization, for example by OU filtering or domain filtering, so it is not synced to Entra ID.
- Run a synchronization cycle and confirm that no synchronized krbtgt_AzureAD account remains in Entra ID.
Related linksā
- Security considerations for Microsoft Entra Kerberos | Microsoft Learn
- Microsoft Entra Connect Sync: Configure filtering | Microsoft Learn
- Microsoft Entra admin center - Microsoft Entra Connect
Test Metadataā
| Field | Value |
|---|---|
| Test ID | MT.1147 |
| Severity | High |
| Suite | Maester |
| Category | Entra |
| PowerShell test | Test-MtKrbtgtAzureADNotSynced |
| Tags | Entra, Graph, Hybrid, Maester, MT.1147 |
Sourceā
- Pester test:
tests/Maester/Entra/Test-MtOnPremisesSynchronization.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtKrbtgtAzureADNotSynced.ps1