Entra ID Cybersecurity Threat: UnOAuthorized Admin Privilege Escalation
Summary
A critical vulnerability known as "UnOAuthorized" has been discovered in Microsoft Entra ID (formerly Azure Active Directory). This vulnerability allows attackers with specific administrative roles, such as Application Administrator or Cloud Application Administrator, to escalate their privileges to Global Administrator. This escalation is made possible due to misconfigured OAuth 2.0 scope permissions within certain Microsoft service principals, including Device Registration Service, Viva Engage, and Microsoft Rights Management Service.
The vulnerability poses a severe risk, enabling attackers to gain full control over an organisation’s cloud resources, including Microsoft 365 and Azure. Microsoft has responded by implementing new controls to mitigate these risks, such as restricting the usage of credentials on service principals and enhancing monitoring protocols.
Call to Arms: Auditing Entra ID Logs with SIEM Tools
To assess whether your organisation has been impacted by this vulnerability, audit your Entra ID logs using the following example Splunk queries. (These examples can be used as a guide for creating your own SIEM queries - you will need to adapt to your own indexes and sources) :
- Search for Role Assignments:
- Audit Log Item:
RoleManagement.RoleAssignmentCreated
- Audit Log Item:
- Detect Unauthorized Credential Assignments:
- Audit Log Item:
ServicePrincipal.CredentialAdded
- Audit Log Item:
- Identify OAuth 2.0 Token Issuance:
- Audit Log Item:
TokenIssuance.Success
- Audit Log Item:
- Monitor Group Creation by Service Principals:
- Audit Log Item:
GroupManagement.GroupCreated
- Audit Log Item:
- Track Changes to Privileged Roles:
- Audit Log Item:
RoleManagement.RoleAssignmentDeletedorRoleManagement.RoleAssignmentUpdated
- Audit Log Item:
Splunk Query:
index=azure_ad sourcetype="azure:audit" OperationName IN ("Update role", "Remove member from role")
| search "AssignedRole"="Global Administrator"
| stats count by TargetObjectName, InitiatedBy.user.displayName, AppDisplayName
Splunk Query:
index=azure_ad sourcetype="azure:audit" OperationName="Create group"
| search InitiatedBy.app.displayName="Device Registration Service"
| stats count by TargetObjectName, InitiatedBy.user.displayName, AppDisplayName
Splunk Query:
index=azure_ad sourcetype="azure:audit" OperationName="Token Issuance"
| search AppDisplayName IN ("Device Registration Service", "Viva Engage", "Microsoft Rights Management Service")
| stats count by ResultDescription, InitiatedBy.user.displayName, AppDisplayName
Splunk Query:
index=azure_ad sourcetype="azure:audit" OperationName="Add service principal credentials"
| search AppDisplayName IN ("Device Registration Service", "Viva Engage", "Microsoft Rights Management Service")
| stats count by TargetObjectName, InitiatedBy.user.displayName, AppDisplayName
Splunk Query:
index=azure_ad sourcetype="azure:audit" OperationName="Add member to role"
| search "AssignedRole"="Global Administrator"
| stats count by TargetObjectName, InitiatedBy.user.displayName, AppDisplayName
Recommendations
- Enhance Security for Administrative Roles:
- Apply the principle of least privilege, ensuring that Application and Cloud Application Administrators have only the permissions necessary for their roles.
- Strengthen security by enforcing multi-factor authentication (MFA) and using Privileged Access Workstations (PAWs).
- Continuous Monitoring and Alerts:
- Implement continuous monitoring and automated alerting for suspicious role assignments, credential changes, or OAuth token activities in your SIEM tool.
- Establish immediate response protocols to disable compromised accounts quickly.
- Restrict Service Principal Credential Usage:
- Use mechanisms such as property locks to prevent unauthorised credential assignment to service principals.
- Regularly review and tighten permissions for service principals.
- Conduct Regular Security Audits:
- Frequently audit your Entra ID configurations, focusing on identifying any misconfigurations or excessive permissions.
- Stay updated with the latest security patches and guidance from Microsoft.
Conclusion
The "UnOAuthorized" vulnerability in Microsoft Entra ID underscores the importance of stringent security practices, particularly in managing privileged roles. By proactively auditing your environment using SIEM tools like Splunk and implementing the recommended security measures, organisations can mitigate the risks associated with this vulnerability and protect their cloud environments from potential exploitation.
Sources
- Cybersecurity News: "Microsoft Entra ID Vulnerability Let Attackers Gain Global Admin Access"
- Semperis Research: "Privilege Elevation in Entra ID: UnOAuthorized"
- CyberMaterial: "Microsoft Entra ID Flaw Enables Admin Access"