A closer look at Azure AD Connect’s Service Connection Point

Azure AD Connect

Recent versions of Azure AD Connect deploy a Service Connection Point (SCP) into your Active Directory Domain Services (AD DS) environment(s). Let’s look a bit closer to what this SCP looks like, what it does by default and how you can use and tweak it to your advantage.

 

About Service Connection Points

Active Directory allows for a specific object that points to specific services. This way, an application, system and/or service administrator can provide guidance on where to find the (nearest) instance of his/her application, system and/or service to domain-joined devices and LDAP-enabled devices.

Many Microsoft and 3rd party applications and services have embraced the concept of service connection points in Active Directory in the past. Microsoft Exchange, Microsoft System Center Configuration Manager (SCCM) and Active Directory Rights Management Services are the ones that come to mind.

 

About Azure AD Connect’s SCPs

Azure AD Connect’s Service Connection Point includes information on the following items in its Keywords attribute:

  1. azureADId; The Azure Active Directory tenant ID
  2. azureADName; The Azure Active Directory tenant’s verified custom DNS domain name, or the *.onmicrosoft.com DNS domain name if no verified custom DNS domain name exists for the Azure AD tenant

Azure AD Connect’s Service Connection Point exists as:

CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=domain,DC=tld

The Service Connection Point needs to be available to all domains in the Active Directory forest that contains computer objects.

 

When is the Service Connection Point created?

Azure AD Connect creates the Service Connection Point in Active Directory, when:

  1. You install and configure Azure AD Connect with Express Settings, or;
  2. You install and configure Azure AD Connect. Then, you enable Hybrid Azure AD Join while supplying Enterprise Admin credentials, or
  3. You install and configure Azure AD Connect. Then, you enable Hybrid Azure AD Join, and use the ConfigureSCP.ps1 script to create the Service Connection Point manually.

 

Inspecting the keywords

You can easily get the information in the Keywords attribute using the following lines of Windows PowerShell:

$scp = New-Object System.DirectoryServices.DirectoryEntry

$scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,`
CN=Device Registration Configuration,CN=Services,CN=Configuration,`
DC=
domain,DC=tld

$scp.Keywords

 

When is the information used?

The information in the Service Connection Point is used by domain-joined devices during their Hybrid Azure AD Join to discover Azure AD tenant information through an LDAP query. The device performs Home Realm Discovery (HRD) based on the azureADName keyword.

 

Situations with multiple Azure AD tenants

Microsoft’s vision scope for Hybrid Azure AD Join and Device WriteBack is one Active Directory forest connected to one Azure AD tenant. However, for complex organizations, this is not feasible. For these organizations, an alternative to the Service Connection Point point to one Azure AD tenant is available as client-side registry settings.

 

Clear the Service Connection Point

To use this method, clear Azure AD Connect’s Service Connection Point object first:

  1. Launch ADSI Edit (adsiedit.msc) with an account that is a member of the Enterprise Admins group in Active Directory.
  2. Connect to the Configuration Naming Context of your domain.
  3. Browse to CN=Configuration,DC=domain,DC=tld, then CN=Services and finally CN=Device Registration Configuration.
  4. Right click CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties from the context menu.
    1. Select Keywords from the Attribute Editor window and click Edit.
    2. Select the values of azureADId and azureADName (one at a time) and click Remove.
  5. Repeat steps 2-4 for each domain in the Active Directory forest.
  6. Close ADSI Edit.

 

Create client-side registry settings

Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring a Service Connection Point entry in the registry of devices in scope:

  1. Open the Group Policy Management console (gpmc.msc)
  2. Create a new Group Policy Object where you want to Service Connection Point information to propagate to.
  3. Edit the Group Policy Object.
  4. Navigate to  Computer Configuration > Preferences > Windows Settings > Registry.
  5. Right-click on the Registry node and select New > Registry Item.
  6. On the General tab, configure the following:
    1. Action: Update
    2. Hive: HKEY_LOCAL_MACHINE
    3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    4. Value name: TenantId
    5. Value type: REG_SZ
    6. Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)
  7. Click OK to save the Registry item.
  8. Right-click on the Registry and select New > Registry Item again.
  9. On the General tab, configure the following
    1. Action: Update
    2. Hive: HKEY_LOCAL_MACHINE
    3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    4. Value name: TenantName
    5. Value type: REG_SZ
    6. Value data: Your verified domain name if you are using federated environment such as AD FS. Your verified domain name or your onmicrosoft.com domain name for example, contoso.onmicrosoft.com if you are using managed environment
  10. Click OK to save the Registry item.
  11. Close the Group Policy editor window.
  12. Link the newly created group policy object to the desired Organizational Unit (OU) containing domain-joined computers.
  13. Close the Group Policy Management console.

 

How the information can be abused

The information in the Service Connection Point can be abused. The Network Service Scanning technique in the MITRE ATT&CK framework (T1046) specifically hints at the way the information can be abused:

With cloud environment, adversaries may attempt to discover services running on other cloud hosts or cloud services enabled within the environment. Additionally, if the cloud environment is connection to an on-premises environment, adversaries may be able to identity services running on non-cloud systems.

 

Concluding

Azure AD Connect’s Service Connection Point allows for domain-joined devices to perform Home Realm Discovery (HRD). In complex environments and for staged rollouts, client-side registry settings can be used to achieve the same goal.

Further reading

Tutorial: Configure hybrid Azure Active Directory join for managed domains
Tutorial: Configure hybrid Azure Active Directory joined devices manually
Post configuration tasks for Hybrid Azure AD join
Step-by-Step guide to connect down-level devices to Azure AD (in hybrid environment)
How can I locate Service Connection Point for Azure AD connect?
Azure AD Connect: Enabling device writeback

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.