https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html
# The main target is the sync account# You can identify it using the description
$ ldapsearch -H ldap://DC01.DOMAIN.LAN:389 -D "DOMAIN\user" -w "****" -b "DC=DOMAIN,DC=LAN"'(description=*Azure*)' description
# To exploit this, need local admin or ADSync service account# Can decrypt using C:\Program Files\Microsoft Azure AD Sync\Binn\mcrypt.dll# The default configuration of Azure AD Connect uses a SQL Server Express database # but a fully deployed SQL Server can also be used. # In that case, the connection string from the POC must be replaced by the following:# "Server=LocalHost;Database=ADSync;Trusted_Connection=True;".
https://blog.xpnsec.com/azuread-connect-for-redteam/