Microsoft Entra ID restricts DSA role permissions in Entra Connect Sync and Cloud Sync
Security Tool/Service
Summary
Hide ▲
Show ▼
Microsoft restricted Directory Synchronization Accounts (DSA) role permissions in Microsoft Entra ID to reduce the risk of privilege escalation through synchronized identities. The change applies to Entra Connect Sync and Entra Cloud Sync, narrowing a path that could let attackers abuse hybrid identity infrastructure. It is a targeted security-control update for environments that depend on cloud directory synchronization.
Related Happenings
Microsoft hardens Microsoft 365 and Office 2024 by disabling ActiveX and blocking legacy-auth access
Defensive Guidance
First: 11.12.2025 18:00
Last: 11.12.2025 18:00
Sources 1
About this happening:
Microsoft hardened **Microsoft 365** and **Office 2024** by disabling **all ActiveX controls** and tightening defaults to block **legacy authentication** access to **SharePoint**,...
Microsoft hardens Microsoft 365 and Office 2024 by disabling ActiveX and blocking legacy-auth access
Defensive GuidanceAbout this happening: Microsoft hardened **Microsoft 365** and **Office 2024** by disabling **all ActiveX controls** and tightening defaults to block **legacy authentication** access to **SharePoint**,...
Microsoft Entra ID hardens browser sign-ins with stricter Content Security Policy
Security Tool/Service
First: 26.11.2025 15:26
Last: 26.11.2025 15:26
Sources 1
About this happening:
Microsoft is tightening **Entra ID** browser sign-ins with a stronger **Content Security Policy**, reducing the risk of **script injection** and **XSS-style credential theft** dur...
Microsoft Entra ID hardens browser sign-ins with stricter Content Security Policy
Security Tool/ServiceAbout this happening: Microsoft is tightening **Entra ID** browser sign-ins with a stronger **Content Security Policy**, reducing the risk of **script injection** and **XSS-style credential theft** dur...
Windows Server 2025 AD DS sync remediation
Advisory/Mitigation
First: 20.10.2025 18:27
Last: 20.10.2025 18:27
Sources 1
About this happening:
Microsoft issued a **Known Issue Rollback Group Policy** and registry workaround for a **Windows Server 2025** directory-sync bug that can disrupt **Microsoft Entra Connect Sync**...
Windows Server 2025 AD DS sync remediation
Advisory/MitigationAbout this happening: Microsoft issued a **Known Issue Rollback Group Policy** and registry workaround for a **Windows Server 2025** directory-sync bug that can disrupt **Microsoft Entra Connect Sync**...
Microsoft Azure AD Graph Actor-token mitigation
Advisory/Mitigation
First: 19.09.2025 16:47
Last: 19.09.2025 16:47
Sources 1
About this happening:
**Microsoft** pushed an additional mitigation that blocks **Actor token requests** for **Azure AD Graph**, reducing the chance that a similar cross-tenant validation flaw could be...
Microsoft Azure AD Graph Actor-token mitigation
Advisory/MitigationAbout this happening: **Microsoft** pushed an additional mitigation that blocks **Actor token requests** for **Azure AD Graph**, reducing the chance that a similar cross-tenant validation flaw could be...
Timeline
-
27.08.2025 19:00 1 articles · 9mo ago
Microsoft restricts Entra DSA permissions
Mitigation Patch UpdateMicrosoft restricted permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra ID for Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync to reduce the risk of privilege escalation through synchronized identities. The change is meant to prevent the kind of hybrid identity abuse that can let an attacker leverage directory synchronization paths to reach higher privileges.
Show sources
- Storm-0501 Hits Enterprise With 'Cloud-Based Ransomware' Attack — www.darkreading.com — 27.08.2025 19:00