Join Raymond and me as we discuss “UnOauthorized” with Eric Woodruff

Reading Time: 3 minutes

UnOauthorized

Birds of a feather flock together. So, when fellow Security MVP and Identity nerd Eric Woodruff  visited our home country, Raymond Comvalius and I didn’t hesitate to offer him a pancake ‘breakfast’ to chat about all things Entra. Lunch and a laid-back conversation on Raymond’s couch unearthed some valuable discussion for us Identity & Security nerds.

One thing to note is that mere days before our couch chat, Eric on Identity presented on the secret sauce for some first-party Entra ID applications that allowed users to perform privileged actions in the Microsoft 365 back-end, without any indication in these applications’ OAuth scopes of these privileges.

 

About “UnOauthorized”

Eric poked around and discovered that:

  • Microsoft’s own Device Registration Service could modify privileged role memberships, thus could add and remove Global Administrators.
  • Microsoft’s Viva Engage (or Yammer as it was previously called) could delete and permanently delete privileged users, including – you guessed it – Global Administrators.
  • Microsoft Right Management Services could create users.

Eric discovered these vulnerabilities while working in his role as a Senior Security Researcher at Semperis. As Semperis is a known ‘force for good’ in the Identity space, Eric responsibly disclosed these vulnerabilities, and Microsoft addressed them to make sure these vulnerabilities would not have organizations’ access control model collapse upon themselves as a house of cards. We sat down and discussed these topics close to our hearts.

Here are a few discussion topics from the interview:

Microsoft didn’t issue a CVE to the vulnerabilities Eric discovered

Interestingly, Eric disclosed his findings with Microsoft in the first half of 2024. At that time, Microsoft hadn’t decided to issue CVEs to vulnerabilities in their cloud services. We talked about the impact of that. While it made it slightly harder for Eric to discuss his findings with other security researchers as he didn’t get clear CVE-2024-xxxx numbers for his findings, he did buy a new washer and dryer from Microsoft’s bounty reward. 😊

Typical misconfigurations of applications in Entra

As a leading Community Contributor for ENow Software’s free AppGov Score and Application Governance Accelerator solution, Enterprise Applications and Application Registrations in Entra are close to my heart.  Eric received a lot of questions whether the “UnOauthorized”attack vector would work with third-party applications. While this specific vulnerability does not, third-party apps are affected by other vulnerabilities, and we discussed the general infancy of knowledge of Entra applications and

  • API permissions and roles that allow elevation to Global Administrator permissions
  • Using out-of-date authentication libraries
  • Still using the deprecated Windows Azure Active Directory API

These can really ruin an Entra admin’s day when exploited.

From a community point of view, we shared a lot of actionable insights. For first-party Entra applications, Microsoft is the only organization able to address vulnerabilities, but for third-party applications we all agreed that an ecosystem push is required.

Ownership of Entra app management in organizations

We also discussed who in organizations might ‘own the problem’ of Entra application security. It’s unclear in most organizations. Eric agreed that many attendees of his Black Hat session might struggle with that question getting home and trying to prioritize Entra application security over other security issues.

The role of backup and restore in Entra app management

As Semperis provides an Entra backup and restore solution, we discussed the scarcity of Entra application restore options and how that possibly inhibits admins from actioning and addressing misconfigurations in their Entra applications. Without a way to ‘undo’ changes to applications, would you feel comfortable changing apps to conform to the ideal standard? Maybe. Maybe, not. It likely depends on the size of your team, your risk tolerance and other factors.

 

Watch the ‘UnOAuthorized’ Interview now

UnOauthorized on Youtube

The video of our conversation is now available for free – grab your drink of choice and have a watch. It provides an insightful snapshot of Entra application security today, ways forward and the typical roadblocks we might encounter when trying to change the world – or at least Entra applications – for the better.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.