Microsoft’s Entra Conditional Access Policies (CAPs), critical for securing Azure and Microsoft 365 environments, were recently exposed to a bypass vulnerability through Nested App Authentication (NAA). This revelation was made by security research firm NetSPI.
Understanding the Vulnerability
CAPs serve as an essential line of defense by enforcing multi-factor authentication, device compliance, and location-based restrictions, especially when user credentials are at risk. However, NetSPI’s findings demonstrate that attackers could potentially access Microsoft Graph tokens without triggering Conditional Access checks.
The exploit takes advantage of Microsoft’s customized OAuth protocol for Single Sign-On (SSO). Specifically, it involves how refresh tokens are managed and exchanged among first-party applications. This discovery builds on existing research related to Family of Client IDs (FOCI) and NAA, also known as BroCI, which has been documented by experts from Secureworks, SpecterOps, among others.
Mechanics of the Bypass
Nested App Authentication, a component of Microsoft’s SSO, allows host applications like the Azure Portal to facilitate authentication for nested applications. This means users don’t need to reauthenticate when switching services, as the host app can silently exchange its cached refresh token for a new access token.
One critical aspect involves specific redirect URIs and parameters such as brk_client_id and brk_redirect_uri in OAuth requests, which enable token sharing across applications without user involvement. The vulnerability was identified when this NAA mechanism was used with ADIbizaUX, a key part of the Azure Portal, which holds extensive Microsoft Graph permissions.
Impact and Resolution
NetSPI discovered that an Azure Portal refresh token, when brokered to ADIbizaUX for a Microsoft Graph token, bypassed Conditional Access evaluations. Notably, operations using FOCI-enabled clients like Microsoft Teams were correctly blocked. This points to a specific issue with the NAA-based flow.
Further analysis revealed two additional Microsoft Intune portal applications capable of acquiring Microsoft Graph tokens via NAA without Conditional Access enforcement. An attacker could exploit this by capturing an Azure Portal refresh token, potentially through phishing or adversary-in-the-middle attacks.
The vulnerability’s impact was mitigated by the token’s non-renewable 24-hour validity, but it still offered a substantial window for exploitation. After being reported to Microsoft Security Response Center, the issue was classified as medium severity. Microsoft has since issued a fix, ensuring that NAA flows now correctly enforce Conditional Access policies.
This incident highlights the risks associated with deviations from standard OAuth practices, which, although aimed at enhancing SSO usability, can inadvertently introduce significant security vulnerabilities.
