Hazy Issue in Entra ID Allows Privileged Users to Become Global Admins

Summary: A security vulnerability in Microsoft’s Entra ID could allow attackers with admin-level access to gain extensive control over an organization’s cloud environment, potentially leading to data breaches and malware deployment. Eric Woodruff from Semperis highlights the risks associated with improper management of application administrators and the implications of layered authentication mechanisms in Entra ID.

Threat Actor: Unknown | unknown
Victim: Organizations using Microsoft 365 and Azure | organizations using Microsoft 365 and Azure

Key Point :

  • Attackers with admin-level access can exploit vulnerabilities in Entra ID to gain global administrator privileges.
  • Three critical service principals were identified that could perform unauthorized actions, including deleting users and elevating privileges.
  • Microsoft is implementing new controls to limit credential use on service principals, but the extent of prior exploitation remains unclear.
  • Organizations are encouraged to review Entra ID audit logs to detect potential unauthorized access, though this method has limitations.

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – An obscure issue with Microsoft’s Entra ID identity and access management service could allow a hacker to access every corner of an organization’s cloud environment.

Crucially, the attack requires that a hacker already have access to an admin-level account. With that in hand, though, the possibilities are limitless. At 4:20 p.m. local time today at Black Hat, Eric Woodruff, senior cloud security architect at Semperis, will describe how an attacker in such a position could take advantage of layered authentication mechanisms in Entra ID to gain all-powerful global administrator privileges.

An attacker with global administrator privileges can do anything in an organization’s cloud environment to any of its connected services, including but not limited to accessing sensitive data and planting malware. As Woodruff explains, “It’s like being a domain administrator in the cloud. As a global administrator, you can literally do anything: You could get into people’s emails in Microsoft 365, you could move into any application that’s tied to Azure, etc.”

UnOAuthorized Access in the Cloud

Entra ID is central to any organization using Microsoft 365 and Azure, managing and securing access and permissions across cloud applications and services.

Within each tenant (organization), Entra ID represents users, groups, and applications as “service principals,” which can be assigned roles and permissions of one kind or another.

The problem identified by Woodruff begins with the fact that users with privileged Application Administrator or Cloud Application Administrator roles can assign credentials directly to a service principal. An attacker with such privileges can use this system quirk to effectively act as their targeted application when interfacing with Entra ID.

Next, the attacker can follow the OAuth 2.0 client credential grant flow, exchanging credentials for tokens that grant access to resources. This is where the second major issue comes into play. During his research, Woodruff identified three application service principals capable of performing actions they didn’t appear to have permission to enact:

  • In the enterprise social networking service Viva Engage (formerly Yammer), the ability to permanently delete users, including Global Administrators.

  • In the Microsoft Rights Management Service, the ability to add users.

  • For the Device Registration Service, the ability to elevate privileges to the Global Administrator level

The Microsoft Security Response Center (MSRC) assigned these vulnerabilities medium, low, and high severity ratings, respectively.

Woodruff emphasizes that the issue with the Device Registration Service is far more significant than the others. “Generally, you would delegate Admin roles to people doing more day-to-day, mundane things [in your organization]. They don’t have the power to do whatever. But if they happen to know of this path we found, they could go give themselves that role,” he explains.

Dealing With Cloud Permissions

When Woodruff went to Microsoft with his findings, the company explained that, in fact, he was allowed to do what he did thanks to hidden authentication mechanisms “behind the scenes.”

Dark Reading reached out to Microsoft for more information about how these layered, unseen authentication mechanisms work, and why they exist in the first place. A Microsoft spokesperson replied with no further details.

For now, Microsoft has been patching over the issue with new controls that limit the use of credentials on service principals. Now, when one attempts privilege escalation using the Device Registration Service, Microsoft Graph returns an error.

It’s unclear whether this issue has ever been exploited in the wild. To determine that, Woodruff says, organizations can review Entra ID audit logs, or look out for leftover attacker credentials. Neither method is foolproof, however, as logs tend to expire after a certain period of time, and attackers can always retroactively hide their paper trails.

“Having worked in the whole Microsoft ecosystem awhile, I’ve run a lot of security assessments and would find that a lot of organizations have relatively lax security around application administrators. You see it in the news these days: Someone targets the help desk, and the next thing you know, they’re a domain admin, because of some privilege chain,” he says.

This latest discovery, though part of the same pattern, was nonetheless a bit of a shock. “It was sort of like: Oh, these app admins at a lot of orgs aren’t really guarded the way they should be,” he says.

Source: https://www.darkreading.com/application-security/hazy-issue-entra-id-privileged-users-become-global-admins