Microsoft’s Azure Active Directory (Azure AD), the company’s go-to cloud-based identity and access management service (IAM), carries a severe flaw that enabled threat actors to install backdoors.
This is according to extensive research from the Secureworks Counter Threat Unit (CTU), which says the issue could also let hackers modify access rights to bypass multi-factor authentication and block admin access without proper logging, and gather information on policy configurations to enable future attacks.
Azure AD supports multiple authentication methods, while the premium version also supports Conditional Access Policies (CAPs) that grant, or block access, based on different criteria, such as device compliance or user location. The IAM service is the one storing these settings, allowing CAPs to be modified either via the portal, PowerShell, or API calls.
One API
The researchers set out to see which APIs allow CAP settings editing, and found three.
One of the three, called AADGraph, was the only one allowing users to modify all CAP settings, including the metadata. This, the researchers say, allows admins to tamper with things such as creation and modification timestamps, and given that modifications made using AADGraph weren’t being properly logged, the integrity and non-repudiation of Azure AD policies were thus at risk.
The researchers shared their findings with Microsoft in late May 2022, which confirmed the findings a month later but stated that this was not a bug, but a feature. However, a year later, Microsoft notified CTU researchers that it plans on making changes that will improve audit logs and restrict CAP updates via AADGraph.
Secureworks also stresses that Microsoft’s been trying to deprecate the AADGraph API “for years”. At the moment, the retirement is scheduled for June 30, 2023. Microsoft has removed public AADGraph API documentation.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba