Azure / Entra ID

Azure Entra ID Hybrid Sync

Syncing Vultr-hosted AD accounts to Azure Entra ID using Microsoft Entra Connect. Includes the UPN suffix mismatch problem that causes users to land on .onmicrosoft.com addresses, how to fix it, and verifying cloud logins work with domain credentials.

Azure Entra ID hybrid identity sync configuration
Configuring hybrid identity with Microsoft Entra Connect
graph LR AD["🖥️ Vultr VPS — DC01
hq.apex-corp.xyz"] -->|"Microsoft Entra Connect
Password Hash Sync (PHS)"| ENTRA["☁️ Microsoft Entra ID
apex-corp.xyz Tenant"] ENTRA -->|"OAuth 2.0 / OpenID Connect
user login & token validation"| PORTAL["🌐 APEX-PORTAL
portal.apex-corp.xyz
Flask + Caddy"] style AD fill:#1a3a1a,stroke:#a4ff91,color:#fff style ENTRA fill:#1a1a3a,stroke:#9988ff,color:#fff style PORTAL fill:#1a2a3a,stroke:#6bb5ff,color:#fff

Step 1 — Find Entra ID in Azure Portal

Logged into portal.azure.com and searched for "Microsoft Entra ID" in the top search bar.

Azure portal search bar with Microsoft Entra ID typed and the Entra ID result highlighted
Searching for Microsoft Entra ID in the Azure portal

Step 2 — Add Custom Domain

Inside the Entra Admin Center, went to Custom Domain Names → Add custom domain → typed apex-corp.xyz. Azure generated a TXT verification record. Added that TXT record in Cloudflare DNS, waited a few minutes, then clicked Verify in Azure. After verification, set apex-corp.xyz as the primary domain for the directory.

Entra ID Custom Domain Names page showing apex-corp.xyz added with a TXT verification record to add to DNS
Azure generated a TXT record — add this to Cloudflare DNS to verify ownership
Entra ID Custom Domain Names showing apex-corp.xyz verified and set as primary domain
Domain verified and set as primary — it shows a green tick

Step 3 — Download Microsoft Entra Connect

The installer is no longer available at the old Microsoft download links. Microsoft moved the download inside the Entra ID portal itself.

Entra ID portal showing the Microsoft Entra Connect section with the download Connect Sync agent option
Entra Connect download is now inside the portal — go to Manage → Microsoft Entra Connect
Download Location Changed

Searching for "Azure AD Connect download" on Google mostly shows the old Microsoft download page which is outdated. The new installer is only available from: Azure Portal → Microsoft Entra ID → Manage → Microsoft Entra Connect → Download Connect Sync agent. You have to accept license terms inside the portal before the download button appears.

Entra Connect download page showing a banner explaining the download has moved to the portal
Banner confirming the download has moved — no longer on the old Microsoft links
Entra Connect Sync download page inside the portal with Accept terms and download button visible
Accepting terms and downloading the installer from inside the portal

Step 4 — Install on DC01 (STARK-TOWER)

Copied the installer to DC01 and ran it as Administrator. The welcome screen appeared — clicked agree and continue.

Microsoft Entra Connect Sync installer welcome screen on DC01 with the agree and continue button
Entra Connect installer running on DC01 — agreeing to terms

Step 5 — The UPN Suffix Problem

During Entra Connect setup, the sign-in configuration screen flagged a UPN suffix mismatch. The issue:

Entra Connect sign-in configuration screen showing UPN suffix mismatch warning for hq.apex-corp.xyz and vought.hq.apex-corp.xyz
Entra Connect flagging the subdomain UPNs as unverified — users would get .onmicrosoft.com addresses
Entra Connect sign-in screen showing more details of the UPN mismatch warning with affected domain suffixes listed
Warning details — both hq.apex-corp.xyz and vought.hq.apex-corp.xyz subdomains are flagged
What happens without the fix
Synced user: t.stark Cloud UPN: [email protected] ← wrong [-] User cannot log in with [email protected]

Step 6 — Fix: Add Alternative UPN Suffix

Two steps. First add the cloud domain as an Alternative UPN Suffix in local AD, then update every user's UPN to use it.

Step 6a — Add Alternative UPN Suffix in Local AD:

  1. On DC01, open Active Directory Domains and Trusts from Server Manager Tools
  2. Right-click the top node (Active Directory Domains and Trusts) → Properties
  3. In the "Alternative UPN Suffixes" box, type apex-corp.xyz
  4. Click Add → OK

Step 6b — Bulk update all user UPNs via PowerShell:

PowerShell — DC01
# Update every user in the domain to use the cloud domain UPN suffix
Get-ADUser -Filter * | ForEach-Object {
    $newUpn = $_.SamAccountName + "@apex-corp.xyz"
    Set-ADUser -Identity $_.SamAccountName -UserPrincipalName $newUpn
    Write-Host "Updated: $($_.SamAccountName) → $newUpn" -ForegroundColor Green
}

# Force immediate sync instead of waiting for the 30-minute schedule
Start-ADSyncSyncCycle -PolicyType Delta
  1. Open Active Directory Users and Computers
  2. Right-click a user → Properties → Account tab
  3. In the User UPN Logon dropdown, select @apex-corp.xyz
  4. Click OK — repeat for each user or run the PowerShell script instead

Step 7 — Create the Star Lord Admin Account

Created a cloud-only Global Admin account directly in Entra ID to use as the sync service account. Used Star Lord from Guardians of the Galaxy. This is the recommended practice — use a dedicated cloud account for syncing, not a personal one.

Entra ID new user creation page showing Star Lord user being created with apex-corp.xyz UPN
Creating Star Lord as a cloud-only admin account in Entra ID
Entra ID user creation page showing Star Lord's profile with username and UPN filled in
Star Lord account details — UPN uses the apex-corp.xyz domain

Gave Star Lord the Global Administrator role:

Entra ID role assignment page showing Global Administrator role being assigned to Star Lord
Star Lord assigned Global Administrator — needed for Entra Connect sync

Step 8 — Connect Vultr AD to Entra ID

Ran the Entra Connect installer on DC01. Entered credentials on both screens:

Entra Connect Connect to Azure AD screen showing Star Lord's admin credentials entered
Entering Star Lord's cloud admin credentials in Entra Connect

The "Ready to Configure" screen showed what it would do — install sync engine, configure password hash sync, and start the first sync:

Entra Connect Ready to Configure screen showing options to be installed including sync engine and password hash sync
Ready to Configure — Password Hash Sync selected, will start a full sync

Clicked Install. Configuration completed successfully:

Entra Connect Configuration Complete screen showing all steps completed successfully
Entra Connect installed and sync started — everything completed successfully

Step 9 — Verify the Sync

Went back to Azure portal. Under Groups, the local AD groups were now showing in Azure:

Azure Entra ID Groups section showing marketing group synced from local AD with its members listed
Marketing group (VOUGHT) synced — members visible in Azure
Azure Entra ID showing D7 group synced from local AD with members from The Boys listed
D7 group (The Boys) synced — group and members all visible
Azure Entra ID Users section showing all synced users listed alphabetically with their apex-corp.xyz UPNs
All users synced — listed alphabetically with apex-corp.xyz UPNs

Opened Homelander's profile — all properties synced from local AD:

Azure Entra ID user profile for Homelander showing all synced properties including job title, department, and UPN
Homelander's profile in Azure — job title, department, all synced from local AD

Step 10 — Test Cloud Login with Synced Accounts

Before the UPN fix, users would show up with .onmicrosoft.com addresses. After running the bulk update script and forcing the sync:

Azure Entra ID user list showing all users with @apex-corp.xyz UPNs after the UPN fix and sync
After the fix — all users show apex-corp.xyz instead of .onmicrosoft.com

Test with Tony Stark (Iron Man): Typed [email protected] at the Microsoft login page — recognized the account and asked for the domain password.

Microsoft login page showing ironman@apex-corp.xyz recognized and the password entry field shown
Microsoft login page recognized the synced account — asking for the domain password

Test with Harley Quinn: Logged in with the marketing specialist account — worked correctly, session active.

Azure portal showing Harley Quinn logged in successfully with an active session
Harley Quinn logged into Azure — domain credentials work for cloud login
Cloud login test
Attempting login with: [email protected]
Password: (domain AD password)
[+] Login successful — Azure session active
User: Tony Stark
UPN: [email protected]
Tenant: apexcorp.onmicrosoft.com
Sign-in type: Password Hash Sync (PHS)

Step 11 — Sign-In Logs

The sign-in log in Azure shows interactive login history — all test logins, what apps were accessed, success or failure. This is useful for the attack surface — it shows which accounts tried to log in and from where.

Azure Entra ID sign-in logs showing multiple login events with user names, apps, and success status
Sign-in logs — every login attempt is visible here including the test logins
Azure sign-in logs detailed view showing individual event rows with timestamp, user, app, and result columns
Detailed sign-in log rows — timestamp, account, app, and result all tracked

Step 12 — Vulnerable OAuth App Registration

Registered a fake application called "Apex IT Helpdesk" in Entra ID. This is used as a phishing target — an attacker would send victims a consent phishing email asking them to approve this app. When they click Accept, the attacker gets OAuth tokens granting access to the victim's mailbox and files — no password needed, no MFA required.

In Azure Portal → App Registrations → New Registration → Name: "Apex IT Helpdesk".

Added these API permissions and left them unconsented by an admin:

PermissionTypeWhat an attacker gets
Mail.ReadDelegatedRead all emails in the victim's mailbox
Files.ReadWrite.AllDelegatedRead and write all files in OneDrive
User.Read.AllDelegatedRead all user profiles in the tenant
OAuth Consent Phishing

The attack: send a phishing email with a link to "Apex IT Helpdesk — click here to enable your account". The victim clicks Accept on the consent screen thinking it is a real IT app. The attacker now has OAuth tokens for that user — access to their email and files without ever touching their password. MFA does not help here because MFA is for authentication, not for OAuth consent.

Why This Matters for the Lab

After syncing with Entra Connect, domain accounts are in the cloud. An attacker who compromises a local account via Kerberoasting or NTLM relay now also has cloud access. The credentials work on the local network and on Azure, Microsoft Teams, and the web portal. One compromise = both AD and cloud access.