Azure AD vulnerability gave attackers backdoor authentication control
Secureworks shared its findings with Microsoft in 2022, and the company has since issued changes to improve audit logs


Researchers at Secureworks have issued a warning over a flaw in Microsoft’s Azure Active Directory (Azure AD) that allows threat actors to tamper with conditional access policies (CAPs).
Analysis from Secureworks’ Counter Threat Unit found that the vulnerability enabled an attacker to install backdoors, modify access rights to bypass multi-factor authentication (MFA), and block admin access.
The flaw also allowed attackers to gather information on policy configurations to support and launch future attacks, researchers noted.
Azure AD is Microsoft’s cloud-based identity and access management service. The premium version of Azure AD also supports CAPs that grant - or block - access based on certain criteria, such as device compliance or user location.
“Azure AD stores the settings for the authentication methods and CAPs. CAPs can be modified via the Azure AD portal, PowerShell, and API calls,” researchers said.
In May 2022, researchers investigated which APIs allow editing of CAP settings and identified three:
- The legacy Azure AD Graph (also known as AADGraph)
- Microsoft Graph
- An “undocumented” Azure IAM API
AADGraph was the only API that allowed modification of all CAP settings, including metadata.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
This capability could allow admins to tamper with all CAP settings, including the creation and modification timestamps.
RELATED RESOURCE
Modifications made using AADGraph are not properly logged, which researchers warned “endangers integrity and non-repudiation of Azure AD policies”.
“The API does not properly log changes, and the lack of an audit trail breaks integrity and non-repudiation of CAPs,” researchers said. “As a result, organizations cannot trust CAP information shown in the Azure AD portal or in directory audit logs.”
CTU researchers shared their findings with Microsoft in May 2022, and the tech giant confirmed the findings a month later. However, SecureWorks revealed that Microsoft stated “that it is expected behavior”.
In May this year, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.
Microsoft said these changes will “improve audit logs to reflect the type of policy being updated when CA policies are updated through AADGraph”.
The firm added that AADGraph is “set to be retired” and that admins will be prevented from making updates to CA policies.
Nestori Syynimaa, senior principal security researcher at SecureWorks CTU, said that a concerning aspect of this vulnerability is that Azure AD “isn’t locked properly”, enabling attackers to see policy configurations potentially exploit the flaw.
“This means that any user can see policy configurations, and anyone with admin rights can make modifications that are not logged properly,” he said.
“If you have a rogue admin, or an admin’s credentials have been compromised by a threat actor, then they can make damaging changes such as turning off access controls, blocking access, and editing rules.”
Syynimaa noted that a threat actor could hypothetically access “any number of systems and create backdoors”, making remediation difficult in the event that this vulnerability was exploited.
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz Published
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott Published
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz Published
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz Published
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro Published
-
A new framework for third-party risk in the European Union
whitepaper Report: DORA and cyber risk
By ITPro Published