BIPI
BIPI

Azure AD/Entra ID Pentesting: Token Theft, Consent Grants, AzureHound

Cloud Security

Hacktricks-style guide to Entra ID attacks: refresh token theft, illicit consent grants, AzureHound enumeration, and graph-based privilege escalation.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 11, 2024 · 12 min read

#azure#entra-id#azurehound#pentesting#oauth

Entra ID, the artist formerly known as Azure AD, is the identity plane for almost every Microsoft 365 tenant. The attack surface is broad: device codes, refresh tokens, app consent, conditional access edge cases, and a directory model that confuses even experienced administrators.

Recon and enumeration

  • AzureHound to collect the tenant graph into BloodHound for path analysis
  • ROADrecon for offline Microsoft Graph dumps with rich tenant detail
  • MicroBurst for discovery of public resources and storage accounts
  • TokenTactics for browser-style sign-in flows that bypass conditional access in some configs

Token theft tradecraft

The crown jewel in Entra is a primary refresh token from a joined device. With a PRT you can request access tokens for any resource the user can reach, often for weeks. PRT theft is typically achieved via process injection into LSASS or via cookie theft from the user's browser session, then replayed through a tool like roadtx.

Illicit consent grants

  1. Register a multi-tenant app you control under an attacker tenant
  2. Phish the user with a consent prompt asking for Mail.Read and offline_access
  3. Once consented, you hold a refresh token for the victim's Graph access
  4. Persist via the granted scopes until an admin discovers and revokes the app

Graph-based privilege escalation

AzureHound builds a graph of users, groups, applications, service principals, and role assignments. Run the AddOwner and AddMember queries to find principals that can promote themselves into Global Administrator. The classic edges are owner of an app that has RoleManagement.ReadWrite.Directory, or member of a group that holds Privileged Role Administrator.

Conditional access bypasses worth knowing

  • Device code flow on a service that does not enforce CA policies for that flow
  • Legacy authentication endpoints still on for one tenant in a hub-and-spoke setup
  • Trusted location bypasses when the attacker controls a VPN exit in a whitelisted IP
  • Break-glass accounts excluded from MFA, sometimes with weak passwords
The Entra admin who tells you conditional access blocks everything has not looked at the report-only policies in six months.

Detection signals

  1. Unified audit log entries for Consent to application from unexpected users
  2. Risky sign-ins from Identity Protection, especially impossible travel and atypical location
  3. Add member to role events, particularly for privileged directory roles
  4. Sign-in logs showing token resource changes from non-interactive flows

Remediation

  1. Disable user consent for unverified publishers, require admin consent flow
  2. Enforce phishing-resistant MFA via FIDO2 or Windows Hello for Business
  3. Enable continuous access evaluation to shorten the useful life of stolen tokens
  4. Audit application registrations quarterly and remove unused service principals
  5. Use Privileged Identity Management for time-bound role activation
12
average admin-reachable paths AzureHound surfaces in a fresh tenant
90 days
default refresh token lifetime, longer than most incident detection windows

Closing

Entra ID rewards defenders who think in graphs. AzureHound is free, runs in minutes, and produces a list of conversations worth having with the IAM team. Start there before you commission a more expensive review.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.