In a recent revelation, Pen Test Partners (PTP) uncovered a concerning vulnerability within Microsoft Azure Entra ID, a crucial cloud-based identity and access management platform. During a rigorous Red Team engagement, researchers encountered a scenario where they had acquired Domain Admin privileges on an on-premises Active Directory network but found themselves unable to access sensitive data housed in the Azure cloud estate due to Entra ID's authentication requirements. Through meticulous investigation, they unearthed a method utilising Azure Seamless Single Sign-On (SSO) that allowed users to circumvent password authentication by leveraging specific Ticket Granting Service (TGS) tickets. 

By mimicking the user-agent of Chrome on Linux and accessing resources via a domain-joined machine, the PTP team successfully bypassed multi-factor authentication (MFA), shedding light on critical security gaps. This discovery underscores the importance of robust configuration measures for Entra ID and the urgent need for organisations to bolster their cybersecurity posture by implementing rigorous access controls, regularly updating conditional access policies, patching vulnerabilities, and integrating additional security layers such as endpoint detection and response (EDR) solutions.

Technical Facts:

• Vulnerability discovered in Microsoft Azure Entra ID, a cloud-based identity and access management solution.
• Azure Seamless Single Sign-On (SSO) allows access to Entra ID-protected resources without passwords using specific TGS tickets.
• Multi-factor authentication (MFA) is bypassed by changing browser user-agent to resemble Chrome on Linux and accessing via a domain-joined machine.

How the Vulnerability was Found:

• Discovered during a Red Team engagement when researchers gained Domain Admin privileges on on-premises Active Directory but couldn't access Azure cloud data protected by Entra ID.
• Researchers found that Azure Seamless SSO permitted access without passwords, using specific TGS tickets.

Mitigation Strategies:



• Ensure up-to-date conditional access policies.
• Regularly patch systems.
• Monitor login attempts for anomalies.
• Consider implementing additional security layers like endpoint detection and response (EDR) solutions.

Source and further reading

Waqas. (2024, May 8). Findings show MFA bypass in Microsoft Azure Entra ID using seamless SSO. Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News. https://www.hackread.com/mfa-bypass-microsoft-azure-entra-id-sso/

Barradell-Johns, J., & Barradell-Johns, J. (2024, May 3). Bypassing MFA on Microsoft Azure Entra ID | PEN Test Partners. Pen Test Partners. https://www.pentestpartners.com/security-blog/bypassing-mfa-on-microsoft-azure-entra-id/