Skip to content

Exploit Cross Tenant Sync


exploit cross tenant sync module hosts multiple sub-modules that exploit the Cross Tenant Synchronization feature in Entra ID allowing users to execute lateral movement and establish persistence in the target environment.

Sub-modules under exploit cross tenant sync module:

  • List Currently Accessible Tenants
  • List Azure2Azure Template Applications in Tenant
  • Find Target Tenants in Existing Cross Tenant Access Policy
  • Inspect Deployed Cross Tenant Access Policy Configuration
  • Find CTS Application of a Target Tenant
  • Sync User to Target Tenant
  • Add User to CTS Sync Group
  • Deploy backdoor using Cross Tenant Synchronization


MAAD Attack Arsenal -> "AzureAD" -> 1

MITRE ATT&CK Information

Tactic Technique
Persistence Create Account: Cloud Account

Additional Details

This module is based on the techniques discussed in this research blog: Exploiting Cross Tenant Synchronization

Revert module changes: No

Microsoft services accessed by module:

PowerShell module used: