Summary of "What Security Researchers Know About Microsoft Entra That You Don't"

Summary of “What Security Researchers Know About Microsoft Entra That You Don’t”

This episode of Entra Chat features Katie Nolles, a security researcher at Datadog, who shares deep insights and research findings about Microsoft Entra. The discussion focuses on its security architecture, roles, applications, and potential attack vectors. Both offensive and defensive perspectives are covered, illustrating complex technical concepts with practical implications for admins and security teams.

---

Key Technological Concepts and Product Features

1. Restricted Administrative Units (RAUs)

   • RAUs segment administrative roles in Entra.
   • Katie discovered a race condition bug where removing a user from a RAU and quickly deleting the unit caused the user’s “restricted” status to persist indefinitely, making the account immutable—even global admins couldn’t remove it easily.
   • This bug could be exploited offensively to protect malicious accounts from remediation.
   • The issue was responsibly disclosed and fixed.

2. First-Party Applications and Service Principals

   • Entra distinguishes between app registrations (definitions) and service principals (tenant-specific identities).
   • Katie explored vulnerabilities where privileged users could add credentials (e.g., certificates) to Microsoft first-party service principals in their tenant, effectively hijacking the app’s identity.
   • This could allow attackers to add trusted federated domains (a “backdoor”), enabling persistent, stealthy access.
   • Microsoft introduced “app lock” to prevent editing certain properties of service principals, but Katie found ways to bypass protections by automating certificate creation.
   • The research ties into broader concerns about app governance and trust boundaries in Azure AD.

3. OAuth Consent Model and App Governance

   • User application consent policies serve as a first line of defense.
   • Microsoft has improved requirements for admin approval on sensitive permissions.
   • Emphasis on realistic governance balancing usability and security.
   • Advice to admins to test apps in non-production environments before consenting in production.
   • Challenges remain in understanding delegated vs. application permissions during consent.

4. Azure Roles and Permissions Complexity

   • Azure roles and role assignments, especially with Privileged Identity Management (PIM), are complex and layered.
   • Example: Azure Key Vault access policies vs. Azure RBAC roles create subtle permission gaps.
   • Some legacy access policies allow users with write permissions to modify access policies and thereby gain secret access.
   • Migration towards RBAC and managed identities is recommended but slow and challenging.

5. Apps and Service Principals Relationship

   • Katie’s research clarified which properties sync between app registrations and service principals and which do not.
   • Credentials (secrets, certificates) do not sync, enabling potential attack vectors.
   • The multi-tenant nature of Azure AD adds complexity, as an app registration in one tenant can have service principals in many tenants.
   • These concepts are foundational to Entra and affect identity, access, and trust models.

6. Emerging Concepts: Agent Identities

   • Microsoft introduced “agent identities” at the Build conference.
   • Agents represent a new identity type, potentially digital coworkers or bots with their own identities and mailboxes.
   • This evolution complicates the token and access ecosystem, requiring updates to OAuth specs and security models.
   • The agent model adds another layer of trust boundaries and complexity in access management.

7. Copilot Studio and OAuth Phishing Risks

   • Copilot Studio enables low-code/no-code AI-powered chatbots integrated with authentication flows.
   • Attackers can create customized login prompts that redirect users to OAuth phishing attacks.
   • This combines social engineering with OAuth consent abuse, potentially granting malicious apps access to user or tenant data.
   • Highlights the need for vigilance around app consent and user education.

8. Research Methodology and Tools

   • Katie emphasizes deep API exploration, scripting, and automation (using tools like Burp Suite repeater, Python scripts) rather than relying solely on PowerShell.
   • Understanding the underlying HTTP endpoints and token flows is critical.
   • Research involves iterative testing, breaking down complex behaviors, and correlating documentation with real-world behavior.
   • Collaboration with the community and responsible disclosure (e.g., MSRC) is vital.

---

Guides, Tutorials, and Resources Mentioned

• Katie’s blog posts on Datadog Security Labs and her personal blog covering:
  • Application risk protection resources.
  • Using Kusto Query Language (KQL) resource explorer to audit Azure environments for security issues (e.g., exposed ports, misconfigured storage).
  • Presentations at conferences like RSA and Spectra Opscon.
• Recommendations for admins:
  • Use user application consent policies to control app permissions.
  • Test app permissions in non-production environments before production deployment.
  • Understand delegated vs. application permissions clearly.
  • Monitor and audit Azure roles and access policies carefully.

---

Analysis and Insights

• Security in Microsoft Entra is a balance between usability and protection, complicated by the breadth of use cases and legacy features.
• The ecosystem is evolving rapidly with new identity types (agents), app governance models, and AI integrations.
• Attackers exploit gaps in understanding and tooling around app permissions, service principals, and OAuth consent.
• Researchers like Katie play a crucial role in uncovering subtle bugs and educating defenders on how to mitigate risks.
• Organizational challenges include siloed teams, unclear responsibilities, and the complexity of managing permissions at scale.
• Continuous dialogue between researchers, product teams, and customers is essential to improve security posture.

---

Main Speakers / Sources

• Katie Nolles – Security Researcher at Datadog, expert on Microsoft Entra security, app registrations, service principals, and Azure AD attack vectors.
• Mel (Host) – Entra Chat host, interviewer, and Microsoft ecosystem expert.

---

Overall, the episode provides a detailed insider perspective on Microsoft Entra’s security nuances, highlighting real-world vulnerabilities, research techniques, and practical guidance for administrators and defenders.

Category

Technology

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

Video