Hazy Issue in Entra ID Allows Privileged Users to Become Global Admins

Hazy Issue in Entra ID Allows Privileged Users to Become Global Admins

August 7, 2024 at 07:26PM

At the Black Hat USA conference, it was revealed that an obscure issue in Microsoft’s Entra ID identity and access management service could enable a hacker with admin-level access to gain global administrator privileges. This could lead to unauthorized access, including accessing sensitive data and planting malware in an organization’s cloud environment. Microsoft has introduced new controls to address the issue.

Key Takeaways from the Meeting Notes:

1. Issue with Microsoft’s Entra ID:
– Attacker with admin-level access to Entra ID can gain global administrator privileges, allowing limitless access to an organization’s cloud environment.
– Potential actions include accessing sensitive data, planting malware, and gaining control over Microsoft 365 and Azure applications.

2. Unauthorized Access:
– Users with privileged roles can assign credentials directly to a service principal, enabling the attacker to act as the targeted application when interfacing with Entra ID.
– The OAuth 2.0 client credential grant flow can be exploited to obtain tokens granting access to resources.

3. Identified Vulnerabilities:
– The vulnerabilities associated with various application service principals have been assigned medium, low, and high severity ratings by the Microsoft Security Response Center.
– The most significant issue lies within the Device Registration Service, allowing privilege elevation to the Global Administrator level.

4. Microsoft’s Response:
– Microsoft has implemented new controls to limit the use of credentials on service principals and has patched the issue with the Device Registration Service to return errors during privilege escalation attempts.

5. Uncertainty and Mitigation:
– It remains unclear whether the issue has been exploited in the wild.
– Organizations are advised to review Entra ID audit logs and be vigilant for leftover attacker credentials. However, these methods are not foolproof due to log expiration and the potential for attackers to hide their trails.
– The discovery highlights the need for stricter security measures around application administrators within organizations.

These takeaways highlight the critical security vulnerabilities identified with Microsoft’s Entra ID and the measures taken to address them, while underscoring the potential impact on cloud security for organizations using Microsoft 365 and Azure services.

Full Article