Microsoft’s Azure Active Directory (Azure AD), the company’s go-to cloud-based identity and access management service (IAM), carries a severe flaw that enabled threat actors to install backdoors.
This is according to extensive research from the Secureworks Counter Threat Unit (CTU), which says the issue could also let hackers modify access rights to bypass multi-factor authentication and block admin access without proper logging, and gather information on policy configurations to enable future attacks.
Azure AD supports multiple authentication methods, while the premium version also supports Conditional Access Policies (CAPs) that grant, or block access, based on different criteria, such as device compliance or user location. The IAM service is the one storing these settings, allowing CAPs to be modified either via the portal, PowerShell, or API calls.
One API
The researchers set out to see which APIs allow CAP settings editing, and found three.
One of the three, called AADGraph, was the only one allowing users to modify all CAP settings, including the metadata. This, the researchers say, allows admins to tamper with things such as creation and modification timestamps, and given that modifications made using AADGraph weren’t being properly logged, the integrity and non-repudiation of Azure AD policies were thus at risk.
The researchers shared their findings with Microsoft in late May 2022, which confirmed the findings a month later but stated that this was not a bug, but a feature. However, a year later, Microsoft notified CTU researchers that it plans on making changes that will improve audit logs and restrict CAP updates via AADGraph.
Secureworks also stresses that Microsoft’s been trying to deprecate the AADGraph API “for years”. At the moment, the retirement is scheduled for June 30, 2023. Microsoft has removed public AADGraph API documentation.
