Keys of the kingdom: Playing God as Global Admin

Global Admin role is the most powerfull administrator role in Azure AD. It is (almost) equivalent to the local system rigths in traditional Windows environment: If you are a Global Admin, there is no security! As a Global Admin, there are no limits what you are allowed to do.

Global Admins in Azure AD have the most powerful administrator role, granting them access to all administrative features of Azure AD and Office/Microsoft 365 services. With AADInternals v0.4.0, Global Admins can elevate themselves to User Access Administrators, assign themselves the Virtual Machine Contributor role, and harvest users’ credentials with PTASpy. They can also set users’ MFA settings using MSOnline PowerShell module, and change the default MFA method, MFA phone number, and MFA device of the user.

The article explains how Global Admins can create backdoors to Azure AD in order to gain persistent access to the system. The three backdoors discussed are ConvertTo-AADIntBackdoor, Desktop SSO, and Pass-through Authentication. ConvertTo-AADIntBackdoor is a PowerShell command that allows Global Admins to create a backdoor with a given domain name and use the ImmutableId of a user to create a SAML token and use it to get an OAuth Access Token. Desktop SSO is a feature that allows users to log in to their accounts without having to enter their passwords, and Pass-through Authentication is a feature that allows users to log in to their accounts without having to enter their passwords. Global Admins can create a backdoor to Azure AD by installing the authentication agent, configuring it with their own tenant, changing the certificate to one they created during the PTA agent registration, and installing PTASpy.

It is important to note that all Global Admins' actions are logged to audit logs, and that Desktop SSO and PTA backdoors DO NOT bypass MFA. It is also important to ensure that Global Admins are trustworthy and that their access is monitored. With the right backdoors, Global Admins can access users' information, send emails on their names, and much more.

Overall, Global Admins have a wide range of capabilities that can be used to compromise Azure AD and Office/Microsoft 365 services. It is important to be aware of the backdoors they can create and the risks associated with them.

📓 Keys of the kingdom: Playing God as Global Admin

👉🏽 Global Admin role is the most powerfull administrator role in Azure AD. It is (almost) equivalent to the local system rigths in traditional Windows environment: If you are a Global Admin, there is no security! As a Global Admin, there are no limits what you are allowed to do. 👉🏽 Global Admins in Azure AD have the most powerful administrator role. 👉🏽 They have access to all administrative features of Azure AD and Office/Microsoft 365 services. 👉🏽 With AADInternals v0.4.0, Global Admins can elevate themselves to User Access Administrators. 👉🏽 They can assign themselves the Virtual Machine Contributor role. 👉🏽 They can harvest users' credentials with PTASpy. 👉🏽 Global Admins can set users' MFA settings using MSOnline PowerShell module. 👉🏽 They can change the default MFA method, MFA phone number, and MFA device of the user. 👉🏽 The article explains how Global Admins can create backdoors to Azure AD. 👉🏽 The three discussed backdoors are ConvertTo-AADIntBackdoor, Desktop SSO, and Pass-through Authentication. 👉🏽 Global Admins can access users' information, send emails on their names, and more.

🔗 source link: https://aadinternals.com/post/admin/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/keys-of-the-kingdom-playing-god-as-global-admin

#GlobalAdmins #AzureAD #Backdoors #SecurityRisks #AccessControl