Critical Azure AD Flaw Bypassed Conditional Access, Exposing Cloud Resources
Key Takeaways A critical flaw in Microsoft Entra ID (formerly Azure AD) Conditional Access allowed attackers to bypass robust security policies. Researchers successfully compromised a production...
Key Takeaways
- A critical flaw in Microsoft Entra ID (formerly Azure AD) Conditional Access allowed attackers to bypass robust security policies.
- Researchers successfully compromised a production environment with over 16,000 users using stolen credentials and a novel device spoofing technique.
- The attack chain exploited vulnerabilities in the Device Registration Service (DRS) and Intune enrollment logic, creating a “phantom device” that appeared compliant.
- The vulnerability highlights significant gaps in default device registration and compliance validation, mirroring tactics used by advanced threat actors.
- Organizations must implement stringent device trust models, including TPM 2.0 attestation and external health validation, to mitigate this risk.
Microsoft Entra ID, previously known as Azure AD, serves as the foundational security layer for cloud identity, with Conditional Access (CA) policies acting as the primary gatekeeper. These policies are designed to rigorously evaluate user location, device health, and risk scores before granting access to sensitive cloud resources.
Table Of Content
However, a recent authorized red team exercise conducted by cybersecurity firm Howler Cell uncovered a critical attack path that completely circumvents these essential protections. This sophisticated exploit allowed researchers to gain unauthorized access to a production tenant, bypassing all Conditional Access restrictions.
The engagement commenced with a single set of valid user credentials, often readily available for purchase on underground cybercrime markets. Leveraging these credentials, the researchers successfully infiltrated a production environment managing over 16,000 user accounts. Notably, this attack required no interaction with corporate endpoints and deployed no malware, underscoring significant weaknesses in default device registration and compliance validation mechanisms.
Howler Cell’s methodology closely resembled tactics employed by Storm-2372, a threat actor group suspected of being aligned with the Russian state. Both the researchers and the threat actors exploited unprotected Device Registration Service (DRS) endpoints to establish an initial foothold, demonstrating that even credentials blocked by CA policies are not a definitive deterrent for determined attackers.
Azure AD Conditional Access Bypassed
Howler Cell’s detailed research outlines an attack that began when valid credentials, explicitly blocked by a CA policy, generated an AADSTS53003 error. To circumvent this, the team targeted the DRS endpoint using the device code authentication flow, an avenue left exposed by insufficiently enforced security policies. This permitted successful authentication, enabling progression to the subsequent stages of the attack.
With a single command, Howler Cell registered a “phantom device” by presenting a signed Azure AD certificate and private key. The DRS API, critically, does not validate whether the caller is a physical Windows machine, allowing a Linux laptop to effectively impersonate a legitimate endpoint. This maneuver aligns with the MITRE ATT&CK technique for Account Manipulation (T1098.005).
Once the phantom device was registered, researchers minted a Primary Refresh Token (PRT) containing fabricated device claims. When this PRT was exchanged for an access token, Azure AD interpreted the session as device-authenticated. This effectively bypassed CA policies requiring a compliant or joined device, thereby granting access to the broader tenant environment for directory enumeration.
To overcome policies specifically mandating an Intune-compliant device, the researchers exploited a known deficiency in Intune enrollment restrictions. By falsely asserting a hybrid domain-join status, the phantom device bypassed pre-registration requirements. Intune, in this scenario, trusted the client’s self-declared domain membership without verifying it against the on-premises Active Directory.
Upon enrollment, the device achieved “compliant” status despite lacking essential security features such as BitLocker, Secure Boot, or antivirus software. Intune’s evaluation logic treated missing health attestation responses as “not applicable” rather than non-compliant. This permissive default posture allowed the researchers to download internal enterprise applications. The extraction of a single application package subsequently revealed critical internal server naming conventions and network architecture details.
Escalation and Mitigation
Beyond device spoofing, researchers at Cyderes identified a fundamental structural risk within hybrid identity environments. Their investigation uncovered 255 highly privileged directory roles, including multiple Global Administrators, that were directly synchronized from on-premises Active Directory. Compromising these on-premises accounts offers attackers a direct route to complete cloud tenant takeover, eliminating the need for any cloud-specific exploits.
To effectively defend against these complex attack chains, organizations must significantly strengthen their device trust models. Howler Cell recommends the following critical mitigations:
What You Should Do
- Implement report-only CA policies that specifically block device code flows and mandate multi-factor authentication (MFA) for device registration.
- Strictly enforce TPM 2.0 attestation as a prerequisite for all Primary Refresh Token (PRT) issuance.
- Require external validation of device health through the Microsoft Health Attestation Service, rather than relying on self-reported data from devices.
- Scope user-level Graph API access to prevent unauthorized bulk directory enumeration.
- Restrict privileged directory roles exclusively to cloud-only accounts, managed and protected through Microsoft’s Privileged Identity Management (PIM) solution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.