Eye Security reveals that misconfigurations in multi-tenant Entra apps can authenticate users against their own tenant while issuing access tokens for the target app’s resources, enabling cross-tenant access, consent bypass via direct Service Principal creation, and potential credential leakage in log files. The research reports 22 internal Microsoft services were exposed, demonstrates how attackers can enumerate domains and redirect URIs to find vulnerable apps, and recommends mitigations such as limiting multi-tenant usage, validating the iss and tid claims in access tokens, and using a PowerShell script to identify risky registrations. #EngineeringHub #SecurityIntelligencePlatform #MediaCreationService #EyeSecurity #MSRC #aka.ms #EntraID #AzureAD #EngageACEHub #BAMI #CPETwebservice #HxSDKDocumentation
Keypoints
- Multi-tenant Entra app misconfigurations can authenticate you against your own tenant while issuing access tokens for the target app’s resources, enabling cross-tenant access.
- Consent can be bypassed by directly creating a Service Principal for a multi-tenant app, bypassing user consent and resource access checks.
- Sensitive credentials such as authorization codes and private keys can reside in log files or other files, enabling theft and reuse.
- Application logic must validate the issuer (iss) and tenant ID (tid) in access tokens to ensure tokens are issued by the correct tenant.
- Attackers can enumerate domains and redirect URIs to identify vulnerable internal apps configured as multi-tenant and abuse their access.
MITRE Techniques
- [T1078] Valid Accounts – Accessing internal Microsoft services using the attacker’s own Microsoft account. [ ‘This time it gave me access using my own Microsoft 365 account!’ ]
- [T1136] Create Account – Creating a Service Principal to access multi-tenant applications without consent. [ ‘This creates a service principal without asking consent or checking availability of required resource access.’ ]
- [T1552.001] Credentials in Files – Logfiles containing authorization codes for users who logged in. [ ‘I even found a logfile that contained Authorization Codes for all the users that had logged in.’ ]
- [T1552.004] Private Keys – A file containing a private key, indicating credential exposure. [ ‘one of these even contains some private key.’ ]
- [T1199] Exploitation of Trusted Relationships – Abuse of multi-tenant app configuration to gain access across tenants. [ ‘The Engineering Hub was configured as a multi-tenant application and redirected me to the /common endpoint.’ ]
Indicators of Compromise
- [Domain] Domains connected to the Entra/OAuth exposure and Microsoft infrastructure – eng.ms, eye.security
- [URL] URLs cited in the attack flow and authentication flows – https://aka.ms, https://login.microsoftonline.com/common
- [App ID (Azure AD)] App IDs of multi-tenant apps referenced in the attack – 8123db1e-3ae6-4068-abcd-f45acafee99c, 74561b55-4eee-4db9-dead-c80ababee56d
- [Credential/Secret] Sensitive credentials found or referenced – private key in a log file, Authorization Codes in a logfile
Read more: https://research.eye.security/consent-and-compromise/