Severe Security Flaw in Microsoft Azure Top Tools Identified
In the world of cloud-based identity and access management services (IAM), Microsoft Azure’s Active Directory (Azure AD) has long been regarded as a reliable and trusted solution. However, recent extensive research conducted by the Secureworks Counter Threat Unit (CTU) has uncovered a severe flaw within Azure AD. This flaw has the potential to compromise the security of the platform, allowing threat actors to exploit backdoors, modify access rights, bypass multi-factor authentication, block admin access without proper logging, and gather critical information for future attacks.
Contents
The Role of Azure AD in Identity and Access Management
Azure AD is a fundamental component of Microsoft Azure, providing robust identity and access management capabilities. It supports various authentication methods and, in its premium version, offers Conditional Access Policies (CAPs). CAPs enable organizations to grant or block access based on specific criteria, such as device compliance or user location. These policies are stored within the IAM service, allowing them to be modified through the Azure portal, PowerShell, or API calls.
Unveiling the Security Flaw: A Closer Look at CAP Settings
To assess the vulnerability of Azure AD’s CAP settings, the CTU researchers investigated the available APIs that allow for CAP settings editing. Their findings revealed three APIs, with one in particular, known as AADGraph, standing out as the only API allowing users to modify all CAP settings, including the metadata. This functionality provides administrators with the ability to tamper with crucial elements, such as creation and modification timestamps.
Unfortunately, the modifications made using the AADGraph API were not being adequately logged, jeopardizing the integrity and non-repudiation of Azure AD policies. Essentially, this flaw creates an opportunity for threat actors to manipulate CAP settings without leaving a trace. The CTU researchers reported their findings to Microsoft in late May 2022, and although the company acknowledged the issue a month later, they initially claimed it was not a bug but a feature. However, a year later, Microsoft informed the CTU researchers that they planned to address the issue by enhancing audit logs and restricting CAP updates via AADGraph.
Microsoft’s Efforts to Deprecate the AADGraph API
Secureworks emphasized that Microsoft has been attempting to phase out the AADGraph API for several years. As of now, the retirement of this API is scheduled for June 30, 2023. In line with this deprecation, Microsoft has already removed public AADGraph API documentation. This step is intended to eliminate the security risks associated with the API and pave the way for a more secure identity and access management ecosystem within Azure.
Conclusion
The Secureworks CTU’s extensive research has brought to light a critical security flaw in Microsoft Azure’s Active Directory (Azure AD). While the flaw has enabled threat actors to install backdoors, modify access rights, bypass multi-factor authentication, and block admin access without proper logging, Microsoft has taken notice and acknowledged the issue. The company has committed to improving the security of Azure AD by enhancing audit logs and restricting CAP updates via the AADGraph API. With the retirement of the AADGraph API on the horizon, Microsoft aims to provide a more secure environment for identity and access management within Azure.
