Researchers at Secureworks have issued a warning over a flaw in Microsoft’s Azure Active Directory (Azure AD) that allows threat actors to tamper with conditional access policies (CAPs).
Analysis from Secureworks’ Counter Threat Unit found that the vulnerability enabled an attacker to install backdoors, modify access rights to bypass multi-factor authentication (MFA), and block admin access.
The flaw also allowed attackers to gather information on policy configurations to support and launch future attacks, researchers noted.
Azure AD is Microsoft’s cloud-based identity and access management service. The premium version of Azure AD also supports CAPs that grant - or block - access based on certain criteria, such as device compliance or user location.
“Azure AD stores the settings for the authentication methods and CAPs. CAPs can be modified via the Azure AD portal, PowerShell, and API calls,” researchers said.
In May 2022, researchers investigated which APIs allow editing of CAP settings and identified three:
- The legacy Azure AD Graph (also known as AADGraph)
- Microsoft Graph
- An “undocumented” Azure IAM API
AADGraph was the only API that allowed modification of all CAP settings, including metadata.
This capability could allow admins to tamper with all CAP settings, including the creation and modification timestamps.
Supercharge trust for operations
Innovating through uncertainty
Modifications made using AADGraph are not properly logged, which researchers warned “endangers integrity and non-repudiation of Azure AD policies”.
“The API does not properly log changes, and the lack of an audit trail breaks integrity and non-repudiation of CAPs,” researchers said. “As a result, organizations cannot trust CAP information shown in the Azure AD portal or in directory audit logs.”
CTU researchers shared their findings with Microsoft in May 2022, and the tech giant confirmed the findings a month later. However, SecureWorks revealed that Microsoft stated “that it is expected behavior”.
In May this year, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.
Microsoft said these changes will “improve audit logs to reflect the type of policy being updated when CA policies are updated through AADGraph”.
The firm added that AADGraph is “set to be retired” and that admins will be prevented from making updates to CA policies.
Nestori Syynimaa, senior principal security researcher at SecureWorks CTU, said that a concerning aspect of this vulnerability is that Azure AD “isn’t locked properly”, enabling attackers to see policy configurations potentially exploit the flaw.
“This means that any user can see policy configurations, and anyone with admin rights can make modifications that are not logged properly,” he said.
“If you have a rogue admin, or an admin’s credentials have been compromised by a threat actor, then they can make damaging changes such as turning off access controls, blocking access, and editing rules.”
Syynimaa noted that a threat actor could hypothetically access “any number of systems and create backdoors”, making remediation difficult in the event that this vulnerability was exploited.
