Presentation Material

Abstract

The majority of Fortune 500 organizations are using Azure Active Directory (Azure AD) as Identity and Access Management (IAM) solution. The high adoption rate makes Azure AD a lucrative target for threat actors, including state-sponsored actors like APT29/Nobelium.

Azure AD is leveraging Microsoft’s not-so-well-documented Evolved Security Service (eSTS). eSTS hides multiple security token services so that users see only Azure AD. While studying how eSTS works, we were able to identify flaws that allow users to log in to resource tenants using just username and password, regardless of their home tenant Conditional Access (CA) policies or MFA settings.

Azure AD Premium P2 includes an Identity Governance service which allows internal and external users to request entitlement to Access Packages. Access Packages are a collection of permissions to provide access to specified organization’s services, such as SharePoint sites, Teams, and applications. We observed that the APIs used by the Identity Governance service allowed access to privileged information for anonymous users.

This talk will provide technical details of our findings and how to exploit them. This includes viewing the target user’s tenant membership information after bypassing home tenant MFA and listing creators (administrators) of all Access Packages of any organization.