Security researchers have uncovered vulnerabilities in Microsoft’s Entra ID (formerly Azure Active Directory) dubbed “UnOAuthorized,” which could allow unauthorized actions beyond expected controls.
The findings, centered on the OAuth 2.0 scope permissions, could have enabled attackers to elevate privileges and persist within Microsoft environments.
The most alarming discovery involved the ability to add and remove users from privileged roles, including the Global Administrator role, the highest level of access in Entra ID.
If exploited, this vulnerability could have allowed threat actors to perform privilege escalation and lateral movement across Microsoft 365, Azure, and connected SaaS applications.
The discovery required the initiator to hold the Application Administrator or Cloud Application Administrator role in Entra ID. Despite their privileged status, these roles are often not treated with the necessary security precautions, making them attractive targets for attackers.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
UnOAuthorized Microsoft Entra ID Vulnerability
According to the research team at Semperis, the vulnerability was discovered in the OAuth 2.0 scope (permissions) of Entra ID, which enabled attackers to perform actions beyond expected authorization controls. The most concerning discovery involved the ability to add and remove users from privileged roles, including the Global Administrator role.
The research team found that select Microsoft application service principals were allowed to perform certain actions that were not defined in the list of authorized permissions.
This enabled attackers to perform privileged actions, such as adding a user to the Global Administrator role, without appearing to have permission to do so.
The vulnerability was discovered in several Microsoft applications, including Viva Engage (Yammer), Microsoft Rights Management Service, and Device Registration Service. MSRC classified the Device Registration Service finding as an important severity vulnerability, as it allowed attackers to modify the membership of privileged roles, including the Global Administrator role.
“In Entra ID, customers can assign credentials to most Microsoft application service principals. We used this to assign a credential to the Device Registration Service, allowing us to access Microsoft Graph as that service.” Semperis Researchers said.
Elevating privileges through Microsoft Applications
The research found that specific Microsoft application service principals could perform privileged actions without having explicitly authorized permissions for the following.
Adding a user to the Global Administrator role as Device Registration Service.
Empty scopes (permissions) for Device Registration Service.
Entra ID audit log results showing successful role management.
While it remains unclear if any organizations were compromised via these vulnerabilities, the potential impact was extensive. Attackers could have used the access to install persistent threats or manipulate role assignments undetected.
Organizations are advised to scrutinize their Entra ID audit logs and check for any suspicious credentials on service principals, particularly those associated with the Device Registration Service.
Upon uncovering these vulnerabilities, Semperis promptly reported the findings to the Microsoft Security Response Center (MSRC).
Microsoft has since implemented additional controls to restrict the use of credentials on service principals, significantly reducing the risk of unauthorized access.
To mitigate risks, organizations should treat Application Administrators and Cloud Application Administrators with the same level of security as Global Administrators.
Implementing best practices such as privilege separation, privileged access workstations, and strong, phishing-resistant authentication is crucial
The discoveries underscore the importance of continuous monitoring and robust security practices in safeguarding digital environments. Semperis and Microsoft continue to enhance security measures to protect users from emerging threats.
Are you from SOC and DFIR Teams? – Analyse Live Malware Incidents with ANY.RUN -> Get 14 Days Free Access