DeepSec 2020 Talk: Abusing Azure Active Directory: Who Would You Like To Be Today? — Dr. Nestori Syynimaa
This will be one of the few online talks held at DeepSec. Dr. Nestori Syynimaa covers the wonderful world of Azure AD and third-party code.
Azure AD is used by Microsoft Office 365 and over 2900 third-party apps. Although Azure AD is commonly regarded as secure, there are serious vulnerabilities regarding identity federation, pass-through authentication, and seamless single-sign-on. In this session, using AADInternals PowerShell module, I’ll demonstrate the exploitation of these vulnerabilities to create backdoors, impersonate users, and bypass MFA. The purpose of this session is to raise awareness of the importance of the principle of least privilege and the role of on-prem security to cloud security.
We asked Dr. Nestori Syynimaa a few more questions about his talk.
Please tell us the most important facts about your talk.
- Azure AD acts as an identity provider for many cloud services
- To protect identities, you must protect Azure AD
- There are several ways a rogue admin can create backdoors to Azure AD
- To protect cloud, you need to protect your on-prem too
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
In my previous job I worked as trainer for Office 365 admin courses (I’m still MCT). When preparing one course, I found a way to create a backdoor to Azure AD. Microsoft did not consider that to be a vulnerability and they refused to fix it. After this, I made a decision to study further and share my findings with the community (after reporting everything to Microsoft).
Why do you think this is an important topic?
The whole security aspect of Microsoft cloud services is very complex. With wrong design choices, the security borders can be breached. By increasing the awareness of what harm can be done (and how), organisations can better protect their environments.