Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

Thursday, November 10, 2022

11:00 AM - 12:00 PM PDT

60 minutes, including Q&A

External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant or are unmanaged accounts outside of Azure AD.

This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated. During the research for this talk, several flaws in the implementation were identified, which create novel ways to backdoor and hijack Azure AD accounts from a regular user. There were also ways identified to exploit these external identity links to elevate privileges, bypass Multi Factor Authentication and Conditional Access policies. All these attacks were possible in the default configuration of Azure AD.

This talk will give insight into the external identities concepts, into the technicalities that allowed these attacks to exist, and into ways to harden against these attacks and detect abuse of these vulnerabilities.

Brought to you by:


Guest Presenter:

Dirk-jan Mollema

Hacker and Researcher of Active Directory and Azure AD

Outsider Security

Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD at Outsider Security. Amongst the open-source tools published to advance the state of (Azure) AD research are aclpwn, krbrelayx, mitm6 and the Azure AD ROADtools framework. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and was part of the MSRC most valuable researchers 2018 to 2020 through his Azure AD research.

Sponsor Presenter:

Karl Fosaaen


Karl Fosaaen leads the cloud penetration testing practice at NetSPI and has over fifteen years of consulting experience in the cybersecurity industry. In that time, he has identified several critical Azure cloud platform security issues and CVEs through his vulnerability research, has been listed on Microsoft's Security Researcher Leaderboard, and co-authored Penetration Testing Azure for Ethical Hackers. He earned his BS in Computer Science from the University of Minnesota and holds the Security+, CISSP, and GXPN certifications.

Steve Paul


Black Hat

Sustaining Partners