diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 7ff270667..313456134 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -504,7 +504,6 @@
     - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md)
     - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md)
     - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md)
-    - [Az - Connect Sync Policy Abuse](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync-policy-abuse.md)
     - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md)
     - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md)
     - [Az - Hybrid Identity Misc Attacks](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md)
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
index 355feac7a..70b0a3a79 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
@@ -16,8 +16,6 @@ This section covers the pivoting techniques to move from a compromised Entra ID
 
 - [**Connect Sync**](az-connect-sync.md): How to abuse Connect Sync to move from the cloud to on-premises AD and the other way around.
 
-- [**Connect Sync Policy Abuse**](az-connect-sync-policy-abuse.md): Historical Connect Sync internal-policy abuse paths (Seamless SSO key injection, auth-method manipulation), including what was patched and what to validate in legacy tenants.
-
 - [**Domain Services**](az-domain-services.md): What is the Azure Domain Services Service and how to pivot from Entra ID to the AD it generates.
 
 - [**Federation**](az-federation.md): How to abuse Federation to move from the cloud to on-premises AD and the other way around.
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync-policy-abuse.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync-policy-abuse.md
deleted file mode 100644
index 720dd99e1..000000000
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync-policy-abuse.md
+++ /dev/null
@@ -1,45 +0,0 @@
-# Az - Connect Sync Policy Abuse
-
-{{#include ../../../banners/hacktricks-training.md}}
-
-## Basic Information
-
-The Entra ID Connect Sync identity (historically a user account and later a service principal) was allowed to call undocumented `graph.windows.net` internal endpoints, including the `1.61-internal` API surface. Those endpoints exposed policy objects that were not visible or writable through standard public Graph paths, and that design created a direct AD-to-Entra pivot from an on-prem compromise.
-
-The important historical finding was not just "the sync account can update policies", but that these policy objects controlled authentication trust boundaries. In practice, this meant an attacker with Connect Sync credentials could reconfigure how Entra accepted first-factor and second-factor authentication signals for hybrid identities.
-
-## Historical Attack Chain
-
-### Enable Seamless SSO by Adding Kerberos Keys
-
-The on-premises authentication flow policy stored KeyCredential material used by Seamless SSO. Existing keys were not readable, but the sync identity could add new key entries. That distinction was enough for compromise: an operator did not need to extract current keys if they could append attacker-controlled keys and then mint Kerberos tickets with that material.
-
-A subtle implementation detail made this more dangerous in multi-domain tenants. In Entra, hybrid users from different on-prem AD domains are not isolated in separate trust silos the way many defenders assume. By introducing key material under a tenant-owned `onmicrosoft.com` domain entry, the attacker could still target hybrid users across synchronized domains.
-
-Operationally, the flow was: obtain tokens as the sync identity, update the on-prem auth policy through internal Graph, insert attacker-controlled key credentials, and forge Seamless SSO tickets for target hybrid users.
-
-### Bypass MFA by Editing Authentication Methods Policy
-
-The default policy object (type `24`) contained tenant authentication method configuration. By adding an external authentication method provider there, an attacker could register a malicious MFA backend and make Entra accept that second factor for users in scope. This turned a Seamless SSO foothold into full hybrid-user impersonation even when MFA was enforced.
-
-In other words, this was not a simple "disable MFA" control-plane change. It was more powerful because it allowed introducing an attacker-operated factor that still looked like compliant MFA from the relying party perspective.
-
-### Conditional Access Policy Tampering (Patched Earlier)
-
-A related path allowed modification of Conditional Access policy objects through internal Graph. Microsoft restricted that path in December 2023 to first-party applications, which removed this capability from the sync identity.
-
-## Logging and Detection Characteristics
-
-A major defensive problem in this chain was telemetry quality. Changes often appeared as generic policy-update events with little or no field-level diff, and some operations generated no useful audit detail. That forced defenders to rely on secondary signals such as suspicious trust changes, unexpected authentication method providers, or newly introduced Seamless SSO key material.
-
-## Current Exploitability Status
-
-This Connect Sync policy-abuse pivot should be treated as a historical technique in modern tenants. Microsoft removed the sync identity's ability to modify Entra objects through these Graph write paths, which breaks the on-prem-to-cloud escalation chain described above.
-
-The technique remains relevant for retrospective incident response, old misconfigured environments, and understanding why stale overprivileged sync identities are high risk. It should not be documented as a broadly working AD-to-Entra path today.
-
-## References
-
-- https://www.youtube.com/watch?v=rzfAutv6sB8
-
-{{#include ../../../banners/hacktricks-training.md}}