Free Cloud Security Assessment
Two crucial security misconfigurations in Microsoft Entra tenants
Microsoft Entra is frequently targeted by attackers due to its widespread use among organizations and often poor configuration. In this article, we will present two crucial security misconfigurations that we commonly identify during our assessments.
We help organizations improve their detection and response capabilities within Cloud infrastructure. Sign up for our limited-time free cloud security assessment to test your defenses against five attack techniques commonly used to breach organizations.
Device Code Flow enabled
Having Device Code Flow enabled in your tenant could quickly lead to the compromise of user and administrator accounts even if they are protected by Multi-Factor Authentication (MFA).
Device Code Flow is an OAuth 2.0 authentication method designed for devices that do not have a browser or have limited input capabilities, such as smart TVs, command-line tools, and IoT devices. In this flow, a user is prompted to navigate to a verification URL on a separate device and enter a code to authenticate the session. An attacker who can trick a user into signing in to their Microsoft account with a code the attacker generated will grant the attacker access to the user account.
What makes this attack particularly effective is that authentication takes place on Microsoft’s website, avoiding raising suspicion by targeted users.
Overly permissive user consent settings
Overly permissive user consent settings can allow users to consent to applications from unverified publishers. When a user consents to an application, Entra ID issues a token that allows the application to act on behalf of the user. An attacker who can trick a user into consenting to an application the attacker created will grant the attacker access to the user account. Attackers commonly use malicious applications to maintain long term access to compromised user account since security responders often overlook them. As part of our testing arsenal, we developed a custom application to test for this weakness.
Various settings can affect the ability for users to consent to applications, and we believe simulating a real attack is a sure way to identify gaps in prevention, detection, and response mechanisms.
Sign up for our limited-time free cloud security assessment