Finding Entra ID CA Bypasses - the structured way
Entra ID Conditional Access is the guard dog of your tenant. But to set it up in a secure way is quite complicated, even if you know all the processing details, which are not always documented.
In this talk we go from a bypass found by accident to a structured approach of mapping Entra ID applications and the different behavior of Conditional Access policies. We found corner cases in which some policies are not or cannot be applied, which can function as bypasses if attackers want to target your tenant.
Join us for a wild ride into authentication protocols, OAuth scopes and pre-consented permissions.
And of course, we don’t want to keep you in the dark about how to protect against some of those bypasses and what indicators to look out for.
Conditional Access policies are complicated in configuration, but also in evaluation on the Microsoft side. Many apps interact with other apps and may have dependencies on backend APIs that could be covered by different policies than the “front-end” app. This leads to several observable behaviour differences in the enforcement of for example compliant devices and MFA for specific resources.
We wanted to analyze all the different combinations of client apps and resources (APIs) that exist in Entra ID and Microsoft 365, to see how they behave and also what permissions each application has. That sounds simple, you just sign in to every app and then you see what kind of permissions they have. However, reality is not that simple. First you need to find all the possible applications that exist, then figure out which authentication methods you can use to authenticate to them, and finally you have to make this scalable for hundreds of applications.
In this talk we walk through our process of analyzing applications, automating token requests and defining different test scenarios for testing undocumented Conditional Access policies exceptions in a structured way, at scale.
We show several examples of behaviour differences when policies are configured in a certain way, and some hardcoded exceptions that are not documented by Microsoft. We will also show what this means for attackers and defenders, how to protect against these corner cases and how to monitor for abuse.