Findings Show MFA Bypass in Microsoft Azure Entra ID Using Seamless SSO


Multi-factor authentication (MFA) has become the backbone of cybersecurity for businesses and individuals, adding an extra layer of protection beyond passwords. However, recent Pen Test Partners (PTP) research has identified a potential bypass method for Microsoft Azure Entra ID, a cloud-based identity and access management solution.

How was the issue discovered?

The issue was identified during a Red Team engagement when researchers acquired Domain Admin privileges on the on-premises Active Directory network but could not access the sensitive data on Azure cloud estate as it required authenticating with Azure Entra ID.

According to their blog post, the researchers then discovered a method where Azure Seamless Single Sign-On (SSO) allowed users to access Azure Entra ID-protected resources without passwords. This was achieved using two TGS tickets:

  1. HTTP/aadg.windows.net.nsatc.net
  2. HTTP/autologon.microsoftazuread-sso.com

Bypassing Multi-Factor Authentication on Azure:

The PTP team successfully bypassed Azure’s MFA requirement for SSO by changing the user-agent of a browser. They used a browser that resembled Chrome on Linux but encountered an error message stating MFA was required.

To bypass MFA, they needed to be on a domain-joined machine, which they did via a proxy. However, their legitimate laptop was locked down, and only Edge and Chrome were installed. They downloaded a portable version of Firefox and installed it on the domain-joined laptop and could successfully bypass MFA. 

Root Causes of the Issue

The most common causes of this issue include the addition of a broad bypass to allow automated systems to access Linux without MFA, a misconfiguration of Conditional Access Policies within Entra ID, which dictate when MFA is needed, or an accidental policy disablement. 

The vulnerability is exploitable for specific internal applications, underscoring the importance of proper Entra ID configuration for security. The attack could be repeated to any user, highlighting the importance of strong security measures to protect cloud environments from malicious actors. 

Organizations can mitigate the threat by using up-to-date conditional access policies, patching regularly, monitoring login attempts for anomalies, and exploring additional security layers like endpoint detection and response (EDR) solutions to address known vulnerabilities and improve overall security.

  1. Mirai botnet exploiting Azure OMIGOD vulnerabilities
  2. Microsoft Azure Exploited to Create Undetectable Cryptominer
  3. Microsoft warns of Azure vulnerability exposes users to data theft
  4. Whitehat hackers accessed primary keys of Azure Cosmos DB users
  5. Sensitive source codes exposed in Microsoft Azure Blob account leak





Source link