logo

Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

Conference:  Black Hat USA 2022

2022-08-10

Summary

The presentation discusses the vulnerabilities in Azure AD and how attackers can exploit them to gain access to external tenants and perform unauthorized actions.
  • External collaboration in Azure AD involves a home tenant and a resource tenant
  • Guest accounts are created in the resource tenant and linked to the home tenant
  • Accounts can be converted to B2B accounts and linked to any external account
  • MFA information is cached in the session and can be used to authenticate in other tenants
  • Account rebinding can be used to link an attacker account to a victim account and gain access
The presenter demonstrated how an attacker can use account rebinding to gain access to a victim account by linking it to their own account and using cached MFA information to authenticate. This allows the attacker to perform unauthorized actions in the victim tenant.

Abstract

External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant, or are unmanaged accounts outside of Azure AD. This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated. During the research for this talk, several flaws in the implementation were identified, which create novel ways to backdoor and hijack Azure AD accounts from a regular user. There were also ways identified to exploit these external identity links to elevate privileges, bypass Multi Factor Authentication and Conditional Access policies. All these attacks were possible in the default configuration of Azure AD. This talk will give insight into the external identities concepts, into the technicalities that allowed these attacks to exist, and into ways to harden against these attacks and detect abuse of these vulnerabilities.

Materials:

Tags: