Tampering with Conditional Access Policies Using Azure AD Graph API

property
value
tags
azure-ad,azure-cloud,hunt-pipeline-2023,pkm-pocket-pipeline,tactic-ad-attack
url
original_word_count
2016

Article Excerpt

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service, and it supports multiple authentication methods.

Long Summary

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service, and it supports multiple authentication methods. The premium version of Azure AD also supports Conditional Access policies (CAPs) that grant or block access based on defined criteria, such as device compliance or user location. In May 2022, Secureworks Counter Threat Unit (CTU) researchers investigated which APIs allow editing of CAP settings and identified three: the legacy Azure AD Graph (also known as AADGraph), Microsoft Graph, and an undocumented Azure IAM API. AADGraph was the only API that allowed modification of all CAP settings, including the metadata. This capability lets administrators tamper with all CAP settings, including the creation and modification timestamps.

The Microsoft Security Response Center (MSRC) recently informed the CTU research team of planned changes to address security issues related to the use of the Azure AD Graph API. The API allows administrators to make changes to Conditional Access Policies (CAPs) without properly logging the changes, which breaks integrity and non-repudiation of CAPs. This lack of an audit trail also allows low-privileged threat actors to identify gaps in CAPs or target them for future modification. To address these issues, the MSRC plans to improve audit logs to reflect the type of policy being updated when CA policies are updated through AAD Graph, and to prevent admins from using AAD Graph to make updates to CA policies. In addition, AAD Graph is set to be retired.

CTU researchers used the AADInternals toolkit to tamper with CAPs. They recommended that organizations store Azure AD audit logs in the Log Analytics workspace or in other storage solutions such as Secureworks Taegisβ„’ XDR. Organizations can detect CAP modifications via the AADGraph API by monitoring audit logs for an 'Update policy' event that does not have a corresponding 'Update conditional access policy' event within two seconds. The researchers also provided a script to restore the names and modification dates of CAPs that have been created or modified using the Azure AD portal or the MS Graph API. Lastly, they provided a KQL query to identify 'Update policy' events that do not have a corresponding 'Update conditional access policy' event within two seconds.

The MSRC is taking steps to address security issues related to the use of the Azure AD Graph API. Organizations should store Azure AD audit logs in the Log Analytics workspace or in other storage solutions, and use the provided script and KQL

Short Summary

πŸ““ Tampering with Conditional Access Policies Using Azure AD Graph API

πŸ‘‰πŸ½ Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service, and it supports multiple authentication methods. queries to monitor and detect unauthorized access to CAPs. Specific highlights include:

πŸ‘‰πŸ½ Azure AD is Microsoft's cloud-based identity and access management service. πŸ‘‰πŸ½ It supports multiple authentication methods. πŸ‘‰πŸ½ The premium version supports Conditional Access policies (CAPs). πŸ‘‰πŸ½ CTU researchers investigated APIs for editing CAP settings. πŸ‘‰πŸ½ AADGraph is the only API allowing modification of all CAP settings. πŸ‘‰πŸ½ The lack of an audit trail poses security risks. πŸ‘‰πŸ½ MSRC plans to address these issues by improving audit logs and retiring AADGraph. πŸ‘‰πŸ½ CTU recommended storing audit logs and using provided scripts and KQL queries. πŸ‘‰πŸ½ Organizations can detect unauthorized access by monitoring audit logs. πŸ‘‰πŸ½ The MSRC is taking proactive measures to ensure the security of Azure AD.

#AzureAD #ConditionalAccess #SecurityIssues #AuditLogs #API