Azure AD Security Defaults/MFA Bypass with Graph API
If you are an Azure AD free customer you should at least know of the setting called security defaults. Security defaults are for Azure AD Free customers that are not on a P1 or P2 licensing model. If you want to read more about security defaults you can do so at the following link:
Recently I discovered that enabled users in an Azure tenant with MFA are not protected by security defaults if an attacker has a valid user name/password, and they attack a Microsoft Graph API endpoint.
Discovery
Scenario 1:
An attacker password sprays a victim tenant with weak passwords and manages to find valid accounts with weak passwords.
The attacker then uses a tool called MFASweep to validate Graph API endpoints are not protected with MFA.
MFA Sweep gives full single factor results at the bottom of the report.
To provide additional proof I verify the compromised account is indeed running MFA.
Attacker Playbook: Azure AD Exfiltration
Any decent threat actor will start working on data exfiltration with the compromised account. The first step in data exfiltration is to extract the maximum amount of information from Azure AD. To demonstrate simple Azure AD Exfiltration you can use O365recon written by @nyxgeek
From here you have tons of data at your disposal. All Azure AD users, Directory Role Administrators, Full Application lists, and tons more!
Attacker Playbook: Replaying Tokens
Now that I’ve demonstrated simple Azure AD exfiltration methods, the next step is to start acquiring tokens and replaying them in different areas of Azure. Keep in mind all this is done with security defaults on and the account I am targeting is running MFA. Because these endpoints below are using graph api. All tokens have been acquired using single factor authentication.
Connecting to Azure AD with MS Graph Access Token
To connect directly into Azure AD with the context of your user with single factor auth you can easily do so doing the following:
Pull AAD Graph token using AAD Internals with the following command:
Import-Module AADInternals
Get-AADIntAccessTokenForAADGraph
Now replay the token to connect to Azure Active Directory:
Connect-AzureAD -AadAccessToken
Since we now have full user context control and have logged into Azure AD PowerShell, we have further methods are our disposal such as adding unauthorized Azure AD Guests into the environment for additional ongoing persistence.
MSRC Contact and Response
MSRC was contacted and I provided simple bypass techniques on discovery and Azure AD exfiltration methods as shown in this blog. MSRC responded below and stated this does not meet Microsoft’s requirement as a security vulnerability for servicing.
“Unless our documentation explicitly call out multiple MFA needed through the process, this wouldn’t be consider a valid scenario since it requires a already compromised account.”
Azure PowerShell is a protected privilege activity according to Microsoft’s documentation but as I’ve shown in this post I demonstrated how to connect into Azure AD Powershell using single factor authentication with AADInternals.
Updated Remediation (8/23/23)
Customers that are on the Azure AD Free tier with security defaults on and have end users enrolled into MFA do not have their Graph API endpoints protected unless you enable the account with per user MFA. The process is outlined below: