Hazy Issue in Entra ID Allows Privileged Users to Become Global Admins

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – An obscure issue with Microsoft's Entra ID identity and access management service could allow a hacker to access every corner of an organization's cloud environment.

Crucially, the attack requires that a hacker already have access to an admin-level account. With that in hand, though, the possibilities are limitless. At 4:20 p.m. local time today at Black Hat, Eric Woodruff, senior cloud security architect at Semperis, will describe how an attacker in such a position could take advantage of layered authentication mechanisms in Entra ID to gain all-powerful global administrator privileges.

An attacker with global administrator privileges can do anything in an organization's cloud environment to any of its connected services, including but not limited to accessing sensitive data and planting malware. As Woodruff explains, "It's like being a domain administrator in the cloud. As a global administrator, you can literally do anything: You could get into people's emails in Microsoft 365, you could move into any application that's tied to Azure, etc."

UnOAuthorized Access in the Cloud

Entra ID is central to any organization using Microsoft 365 and Azure, managing and securing access and permissions across cloud applications and services.

Within each tenant (organization), Entra ID represents users, groups, and applications as "service principals," which can be assigned roles and permissions of one kind or another.

The problem identified by Woodruff begins with the fact that users with privileged Application Administrator or Cloud Application Administrator roles can assign credentials directly to a service principal. An attacker with such privileges can use this system quirk to effectively act as their targeted application when interfacing with Entra ID.

Next, the attacker can follow the OAuth 2.0 client credential grant flow, exchanging credentials for tokens that grant access to resources. This is where the second major issue comes into play. During his research, Woodruff identified three application service principals capable of performing actions they didn't appear to have permission to enact:

The Microsoft Security Response Center (MSRC) assigned these vulnerabilities medium, low, and high severity ratings, respectively.

Woodruff emphasizes that the issue with the Device Registration Service is far more significant than the others. "Generally, you would delegate Admin roles to people doing more day-to-day, mundane things [in your organization]. They don't have the power to do whatever. But if they happen to know of this path we found, they could go give themselves that role," he explains.

Dealing With Cloud Permissions

When Woodruff went to Microsoft with his findings, the company explained that, in fact, he was allowed to do what he did thanks to hidden authentication mechanisms "behind the scenes."

Dark Reading reached out to Microsoft for more information about how these layered, unseen authentication mechanisms work, and why they exist in the first place. A Microsoft spokesperson replied with no further details.

For now, Microsoft has been patching over the issue with new controls that limit the use of credentials on service principals. Now, when one attempts privilege escalation using the Device Registration Service, Microsoft Graph returns an error.

It's unclear whether this issue has ever been exploited in the wild. To determine that, Woodruff says, organizations can review Entra ID audit logs, or look out for leftover attacker credentials. Neither method is foolproof, however, as logs tend to expire after a certain period of time, and attackers can always retroactively hide their paper trails.

"Having worked in the whole Microsoft ecosystem awhile, I've run a lot of security assessments and would find that a lot of organizations have relatively lax security around application administrators. You see it in the news these days: Someone targets the help desk, and the next thing you know, they're a domain admin, because of some privilege chain," he says.

This latest discovery, though part of the same pattern, was nonetheless a bit of a shock. "It was sort of like: Oh, these app admins at a lot of orgs aren't really guarded the way they should be," he says.