Azure AD vulnerability gave attackers backdoor authentication control

Purple screen with a white hand placing down asterisks denoting a security and password theme
(Image credit: Getty Images)

Researchers at Secureworks have issued a warning over a flaw in Microsoft’s Azure Active Directory (Azure AD) that allows threat actors to tamper with conditional access policies (CAPs).

Analysis from Secureworks’ Counter Threat Unit found that the vulnerability enabled an attacker to install backdoors, modify access rights to bypass multi-factor authentication (MFA), and block admin access. 

The flaw also allowed attackers to gather information on policy configurations to support and launch future attacks, researchers noted. 

Azure AD is Microsoft’s cloud-based identity and access management service. The premium version of Azure AD also supports CAPs that grant - or block - access based on certain criteria, such as device compliance or user location. 

“Azure AD stores the settings for the authentication methods and CAPs. CAPs can be modified via the Azure AD portal, PowerShell, and API calls,” researchers said.

In May 2022, researchers investigated which APIs allow editing of CAP settings and identified three: 

  • The legacy Azure AD Graph (also known as AADGraph)
  • Microsoft Graph
  • An “undocumented” Azure IAM API

AADGraph was the only API that allowed modification of all CAP settings, including metadata

This capability could allow admins to tamper with all CAP settings, including the creation and modification timestamps. 

RELATED RESOURCE

Whitepaper cover of female worker wearing a cap backwards, surrounded by pallets, pulling sticky labels

(Image credit: ServiceNow)

Supercharge trust for operations

Innovating through uncertainty

DOWNLOAD FOR FREE

Modifications made using AADGraph are not properly logged, which researchers warned “endangers integrity and non-repudiation of Azure AD policies”.

“The API does not properly log changes, and the lack of an audit trail breaks integrity and non-repudiation of CAPs,” researchers said. “As a result, organizations cannot trust CAP information shown in the Azure AD portal or in directory audit logs.”

CTU researchers shared their findings with Microsoft in May 2022, and the tech giant confirmed the findings a month later. However, SecureWorks revealed that Microsoft stated “that it is expected behavior”.

In May this year, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.

Microsoft said these changes will “improve audit logs to reflect the type of policy being updated when CA policies are updated through AADGraph”. 

The firm added that AADGraph is “set to be retired” and that admins will be prevented from making updates to CA policies.

Nestori Syynimaa, senior principal security researcher at SecureWorks CTU, said that a concerning aspect of this vulnerability is that Azure AD “isn’t locked properly”, enabling attackers to see policy configurations potentially exploit the flaw. 

“This means that any user can see policy configurations, and anyone with admin rights can make modifications that are not logged properly,” he said. 

“If you have a rogue admin, or an admin’s credentials have been compromised by a threat actor, then they can make damaging changes such as turning off access controls, blocking access, and editing rules.”

Syynimaa noted that a threat actor could hypothetically access “any number of systems and create backdoors”, making remediation difficult in the event that this vulnerability was exploited. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.