Azure AD Connect is a tool and guided experience for connecting on premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures pre-requisites and components required for the connection, including sync and sign on.
Microsoft explains the issue (CVE identifier CVE-2017-8613 ) and said that the password writeback feature may not be configured properly during enablement. Writeback is a component of Azure Active Directory Connect that lets users configure Azure AD to write passwords back to their on-premises AD user accounts. It gives a convenient cloud-based way for users to reset their on-premises passwords wherever they are.
“To enable Password writeback, Azure AD Connect must be granted Reset Password permission over the on-premises AD user accounts. When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts). “
This configuration is not recommended from Microsoft because it enables a malicious Azure Active Directory Administrator to reset the password of an arbitrary on-premises AD user privileged account to a known password value using Password writeback. This will enable the malicious Azure AD Administrator to obtain privileged access to the customer’s on-premises AD.
“The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.”