This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Backdooring and Hijacking Azure AD Accounts by Abusing External Identities
External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant or are unmanaged accounts outside of Azure AD.
This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated. During the research for this talk, several flaws in the implementation were identified, which create novel ways to backdoor and hijack Azure AD accounts from a regular user. There were also ways identified to exploit these external identity links to elevate privileges, bypass Multi Factor Authentication and Conditional Access policies. All these attacks were possible in the default configuration of Azure AD.
This talk will give insight into the external identities concepts, into the technicalities that allowed these attacks to exist, and into ways to harden against these attacks and detect abuse of these vulnerabilities.
Hacker and Researcher of Active Directory and Azure AD
Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD at Outsider Security. Amongst the open-source tools published to advance the state of (Azure) AD research are aclpwn, krbrelayx, mitm6 and the Azure AD ROADtools framework. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and was part of the MSRC most valuable researchers 2018 to 2020 through his Azure AD research.
Karl Fosaaen leads the cloud penetration testing practice at NetSPI and has over fifteen years of consulting experience in the cybersecurity industry. In that time, he has identified several critical Azure cloud platform security issues and CVEs through his vulnerability research, has been listed on Microsoft's Security Researcher Leaderboard, and co-authored Penetration Testing Azure for Ethical Hackers. He earned his BS in Computer Science from the University of Minnesota and holds the Security+, CISSP, and GXPN certifications.