I SPy: Rethinking Entra ID research for new paths to Global Admin
Summary
TLDRIn this talk, Katie Nolles from DataDog explores a security vulnerability within Microsoft’s Entra ID (formerly Azure AD), focusing on service principal hijacking and privilege escalation from app admin to global admin. She walks through the attack vectors, explains how she tested them, and highlights the importance of understanding the boundaries of trust within Microsoft environments. Katie emphasizes the importance of thorough research, taking good notes, and sharing findings. She also provides insights on mitigation strategies, including the use of application instance property locks and the role of global admins in securing critical services.
Takeaways
- 😀 Microsoft’s service principal roles have specific permission scopes that are tied to different administrator roles.
- 😀 App admins have certain powers but cannot assign credentials to Office 365 Exchange Online service principals without global admin permissions.
- 😀 MSRC’s response indicated that the issue of app admins escalating to global admins is an edge case and not prioritized for fixing.
- 😀 Researching vulnerabilities involves deep problem-solving, clarity in communication, and patience in the process of eliminating ambiguities.
- 😀 Using service principles in cloud applications can lead to unexpected behaviors due to misconfigurations or unclarified access paths.
- 😀 There’s a dynamic discussion about the ability for app admins to escalate privileges to global admins, with Microsoft working to tighten these gaps.
- 😀 Configuring ‘app instance property lock’ is crucial for preventing privilege escalation attacks in custom applications.
- 😀 Microsoft restricts the ability to assign credentials to first-party apps like SharePoint and Exchange to global admins only.
- 😀 The Microsoft ecosystem has improved significantly in terms of limiting credential assignments, with only a few apps left with this vulnerability.
- 😀 Anyone interested in researching similar issues should focus on understanding system boundaries, taking thorough notes, and not being discouraged by perceived lack of qualifications.
Q & A
What is the core research topic discussed in the presentation?
-The core research topic revolves around service principle hijacking in Microsoft Entra ID (formerly Azure Active Directory), focusing on the security implications of assigning credentials and roles, particularly the escalation from app admin to global admin.
What did the speaker discover regarding app admin roles and service principles?
-The speaker discovered that app admin roles could sometimes assign credentials to service principles, but certain roles like user with app admin privileges couldn't. This inconsistency was identified as a potential security gap.
How did Microsoft respond to the research findings regarding service principles and app admin roles?
-Microsoft's response was that the findings were considered an edge case. They did not express interest in fixing it, as they deemed it unlikely to affect the majority of users, given the specific nature of the problem.
What role did the MSRC (Microsoft Security Response Center) play in the investigation?
-The MSRC provided clarification on the issue, stating that only global admins could assign credentials to the Office 365 Exchange online service principle, which helped the researcher narrow down the issue to specific roles.
What advice did the speaker give regarding research in security and role escalation?
-The speaker encouraged a methodical and patient approach to research, emphasizing the importance of thinking critically about specific conditions under which an attack or vulnerability could occur. It's also essential to stay open to collaboration and seeking help from others when stuck.
What is the significance of the 'app instance property lock' in this research?
-The 'app instance property lock' is a setting that can help mitigate the risk of privilege escalation. Enabling this setting ensures that only specific, trusted accounts can interact with the app instance, thus limiting the scope of potential attacks.
Which Microsoft first-party apps were found to allow app admins to assign credentials?
-Only a few Microsoft first-party apps, such as Exchange and SharePoint, allowed app admins to assign credentials. The majority of Microsoft first-party apps do not allow app admins to assign credentials at all.
What steps has Microsoft taken to address the issue of escalating privileges from app admin to global admin?
-Microsoft is actively working on addressing the privilege escalation issue. Although their documentation currently still claims this behavior is by design, the company is making backend changes to prevent such escalations in the future.
What advice did Katie Nolles give to those wanting to explore transitive trust vulnerabilities?
-Katie Nolles advised focusing on understanding the boundaries of how systems define roles and permissions. She encouraged anyone interested in researching similar topics to start with a strong foundation of critical thinking and documentation, even if they don’t consider themselves 'natural hackers'.
How does the concept of 'transitive trust' play into the research presented in the talk?
-Transitive trust refers to the indirect relationships that can arise from trust assumptions within systems. In this case, the research looked at how trust between different roles and permissions in Entra ID can lead to unintended privilege escalations, especially when roles like app admin have broader implications than expected.
Outlines

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantMindmap

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantKeywords

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantHighlights

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantTranscripts

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenant5.0 / 5 (0 votes)