But what is eSTS?Īccording to Microsoft Azure SOC 3 Report. eSTSīased on our observations, when logging in to Azure AD tenant, you are actually logging in to eSTS. The resource tenant user object has an array of alternativeSecurityIds and one of them (of type 5) equals the PUID (aka LiveId) attribute of the home tenant user object. The two objects are linked to each other. Microsoft calls these tenants resource tenants.Īfter user accepts the invitation, a corresponding user object is created to the resource tenant. Users are also able to log in to other tenants, if they are invited there as guests. Microsoft is calling this to home tenant. Users can log in to the tenant using the authentication methods configured by the administrators. Luckily, he did □ Azure ADĪzure Active Directory (Azure AD) is Microsoft’s Identity and Access Management (IAM) service used by Microsoft 365 and Azure, but also by thousands of third party service providers.Īn instance of Azure AD is called tenant. I replied to Sravan and asked him to DM me if he’d like me to have a look on his case. This story, like many others, began after a tweet: The blog is co-authored with and is based on his findings. We’ll introduce the issue, describe how to exploit it, show how to detect exploitation, and finally, how to prevent the exploitation. This blog post tries to shed some light on how Azure AD authentication works under-the-hood. However, because of Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants. Multi-factor Authentication (MFA) and Conditional Access (CA) policies are powerful tools to protect Azure AD users’ identities.įor instance, one may allow access only from compliant devices and require MFA from all users. Summary of the home tenant control options.Final response from Microsoft Security Response Center (MSRC):.Multi-factor authentication (MFA) and Conditional Access (CA).If you just keep adding scopes to the same account, you eventually have a service principle that do everything which is a risk. Regarding Microsoft Graph PowerShell module, I have only started using it however I would lean towards using a separate temporary service principal account for each use and then deleting it. I have seen people disable and then forget to implement some of basic features they implement). To see what permission scopes you require, you need to check the Microsoft Graph API docs: Ĭouple of things that might be worth noting, obviously I would recommend you review what security defaults enables in the tenant and decide if you need want/need to mimic some of them settings with conditional policies (security defaults are a good way to get some basic extra security features without needing extra licenses. I don’t think its exposed in AzureAD or any AZ modules, however using the Microsoft Graph PowerShell module you can set it:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |