One of Microsoft Azure's top tools has a serious security flaw

Sead Fadilpašić

24 May 2023 at 10:18 am·2-min read

Cloud computing concept represented by a server room, with a cloud representation hologram concept.

Microsoft’s Azure Active Directory (Azure AD), the company’s go-to cloud-based identity and access management service (IAM), carries a severe flaw that enabled threat actors to install backdoors.

This is according to extensive research from the Secureworks Counter Threat Unit (CTU), which says the issue could also let hackers modify access rights to bypass multi-factor authentication and block admin access without proper logging, and gather information on policy configurations to enable future attacks.

Azure AD supports multiple authentication methods, while the premium version also supports Conditional Access Policies (CAPs) that grant, or block access, based on different criteria, such as device compliance or user location. The IAM service is the one storing these settings, allowing CAPs to be modified either via the portal, PowerShell, or API calls.

One API

The researchers set out to see which APIs allow CAP settings editing, and found three.

One of the three, called AADGraph, was the only one allowing users to modify all CAP settings, including the metadata. This, the researchers say, allows admins to tamper with things such as creation and modification timestamps, and given that modifications made using AADGraph weren’t being properly logged, the integrity and non-repudiation of Azure AD policies were thus at risk.

> Nearly all firms have some kind of cloud misconfiguration issue

> Many data breaches are being caused by misconfigured clouds

> Here's our list of the best endpoint security software

The researchers shared their findings with Microsoft in late May 2022, which confirmed the findings a month later but stated that this was not a bug, but a feature. However, a year later, Microsoft notified CTU researchers that it plans on making changes that will improve audit logs and restrict CAP updates via AADGraph.

Secureworks also stresses that Microsoft’s been trying to deprecate the AADGraph API “for years”. At the moment, the retirement is scheduled for June 30, 2023. Microsoft has removed public AADGraph API documentation.

These are the best firewalls to keep your business protected

The Independent
‘This is England’: Train passengers horrified as man launches into racist tirade in packed carriage
Passengers on service said they were abused by group on train after men got on at London Bridge
18 hours ago
The Telegraph
Israel’s strike has exposed Iran’s fatal weakness
Israel’s presumed counterstrike against Iran has proved Joe Biden and David Cameron wrong in their insistence that Israel should just “take the win”. Instead, it fought back – and yesterday Iran was trying to pretend that nothing had happened.
14 hours ago
France 24
World leaders urge restraint after suspected Israeli strikes on Iran
World leaders called for de-escalation in the Middle East after Iran's state media reported explosions in the central province of Isfahan on Friday and US media quoted officials saying Israel had carried out retaliatory strikes on its arch-rival. Iranian officials played down the incident and said the blasts caused no major damage. Israel had previously warned it would hit back after Iran fired hundreds of missiles and drones at Israel over the weekend. Read our blog to see how the day's events
a day ago
BuzzFeed
Women Who've Had Threesomes Are Opening Up About Their Experiences — The Good, The Bad, And The Ugly — And It's Intriguing
"There's nothing like having two men passionately desiring and worshipping you."
5 hours ago
Yahoo News Singapore
As Lawrence Wong prepares to take over as Singapore PM, eyes turn towards possible DPM candidates
Amid a leadership transition, Lawrence Wong hints at few changes to the cabinet lineup. Read on to find out what experts think about potential promotions.
a day ago
Yahoo News Singapore
Three women arrested for alleged involvement in prostitution syndicate which operated on Telegram
Three women, aged between 23 and 42, have been arrested for alleged involvement in prostitution activities that operated via Telegram. Read on.
a day ago
Evening Standard
Why has Sydney Sweeney become the most divisive woman in Hollywood?
The megastar is at the heart of a political tug of war — and her breasts are polarising US society. What is really going on, asks Maddy Mussen
21 hours ago
BBC
Beijing half marathon: Top three stripped of medals after investigation
The top three finishers of the Beijing half marathon are stripped of their medals after an investigation into the controversial result.
22 hours ago
The Telegraph
Bernardo Silva’s penalty: What was he thinking?
All but a small handful of Manchester City players and staff had already retired to the dressing room, dazed and doubtless a little confused about what had just unfolded, by the time Bernardo Silva started his slow trudge off the pitch.
2 days ago
SETHLUI.COM
Best fixed deposit rates 2024: Grow your money with little risk
The post Best fixed deposit rates 2024: Grow your money with little risk appeared first on SETHLUI.com.
2 days ago
People
Kourtney Kardashian Celebrates Her Appearance After Fan Comments on Bikini Pic: 'I Love This Body'
The Lemme co-founder is thankful for her body because it "gave me my 3 big babies and my little baby"
a day ago
The Telegraph
Why Emiliano Martinez was not sent off despite second yellow card
Aston Villa booked their place in the Europa League semi-finals in dramatic fashion by winning a drama-filled penalty shootout, where goalkeeper Emiliano Martinez received his second yellow card but was not sent off.
a day ago
The Independent
Scientists in India may just have discovered longest snake to ever live
Snake was comparable in size to extinct Titanoboa, researchers say
a day ago
PA Media: UK News
Man jailed for six and a half years for ‘brazen’ rape of 15-year-old girl in sea
Judge Susan Evans KC said the ‘frightening’ attack ‘undermined public confidence’ in the safety of busy beaches.
17 hours ago
The Independent
Iran makes first nuclear threat over possible Israeli attack as US and UK slap fresh sanctions on Tehran
Tensions between Israel and Iran have reached new heights as Tehran repeats its warnings that a response to its own missile attack could be lethal for the region
a day ago
The Independent
Black undercover police officer beaten up by his own colleagues awarded $23.5m
Fellow undercover officer told investigators police in riot gear ‘beat the f*** out of [Mr Hall] like Rodney King’
10 hours ago
The Independent
Trump’s $175m bond in fraud case should be voided, says New York attorney general
Mr Trump’s hefty bond was posted by California-based Knight Specialty Insurance Company last month
8 hours ago
The Guardian
Jürgen Klopp defends Salah’s finishing after Liverpool exit Europa League
Jürgen Klopp said Liverpool squandered their Europa League chances at Anfield and insisted Mohamed Salah’s wastefulness was not the cause of their exit
a day ago
The Telegraph
Man City’s defeat was travesty – but Champions League wipe-out is damaging for English football
For only the eighth time in the past quarter of a century, England finds itself without a single representative in the last four of the Champions League. That feels, in the immediate aftermath of this soul-sapping defeat for Manchester City, like an unvarnished travesty.
2 days ago
SETHLUI.COM
New in town: Ducking Good 好吃鸭 – 50% off Whole Speciality Ducks!
The post New in town: Ducking Good 好吃鸭 – 50% off Whole Speciality Ducks! appeared first on SETHLUI.com.
2 days ago

One API

Latest stories