Category: Azure

Posted on

Beyond User Accounts: Why Penetration Testers Must Treat Azure Applications as First-Class Identities

As penetration testers, red teamers and cyber security professionals, we’re accustomed to thinking about identity in Azure as synonymous with user accounts. But in the modern cloud, identity extends far beyond users — and nowhere is this more apparent than with Azure applications and service principals.

Applications in Azure AD are not just passive objects — they can be assigned roles, own secrets or certificates, and can have the ability to authenticate directly to the Microsoft Graph API. In other words, they are valid identities capable of holding privileges and accessing resources just like human users. This shift means we must broaden our threat models accordingly.

Applications as Logins

Every Azure AD application, once provisioned, comes with a service principal — an identity used to access resources. With the right permissions, these principals can:

  • Read or write to Microsoft Graph (e.g., list users, modify group memberships)
  • Query directory objects such as roles, users, groups, and devices
  • Reset user passwords if the app is assigned PrivilegedAuthenticationAdministrator or HelpdeskAdministrator
  • Access mailbox data via Mail.Read or send emails via Mail.Send
  • Control Entra ID Conditional Access policies or even register/deregister MFA settings if granted high-privilege Graph scopes

These permissions can be assigned either via delegated access (on behalf of a user) or application-level access (with no user context at all). The latter is especially dangerous, as it allows silent, background API access with no interactive login required.

Real-World Exploitation: Certificate-Based Logins

If an attacker compromises a certificate or client secret assigned to a privileged application, they can authenticate as the app via OAuth 2.0 client credential flow and obtain an access token for Graph:

POST /{tenant}/oauth2/v2.0/token
grant_type=client_credentials
client_id=APP_ID
client_secret=APP_SECRET
scope=https://graph.microsoft.com/.default

This token can then be used to enumerate users, groups, access email, or even perform password resets depending on the app’s assigned roles.

Example Scenarios

  • Helpdesk Password Resets: An app with HelpdeskAdministrator can reset passwords for non-admin users. Imagine the implications of silently resetting and impersonating a targeted user.
  • Email Exfiltration: An app granted Mail.Read could silently monitor executive inboxes or extract sensitive emails over time.
  • Persistent Access: Compromising an app with a 2-year certificate enables long-term, hard-to-detect API access without MFA or sign-in logs typical for users.

Mitigations and Takeaways

Security teams must:

  • Audit app and service principal permissions regularly.
  • Revoke unused credentials and reduce excessive Graph scopes.
  • Use certificate expirations and rotation policies.
  • Log app-based Graph accesses in Microsoft Entra logs if required.

Takeaway: Azure applications are not passive configurations — they are active identities, we must think of them differently, almost like a way to login. For attackers, they represent low-noise, high-impact avenues for persistence and privilege escalation. For defenders, this is a call to treat them with the same scrutiny as human users.

For further reading on app permissions in Microsoft Entra ID, see Microsoft’s permission and consent documentation.

Posted on

What is Attribute-Based Access Control (ABAC)?

Just when we thought we had got our heads around Role Based Access Control (RBAC) along comes Attribute-Based Access Control (ABAC). Great. ABAC is a flexible and granular access control model that evaluates attributes—characteristics associated with users, resources, and the environment—when determining whether access should be granted. Unlike Role-Based Access Control (RBAC), which relies on predefined roles with fixed permissions, ABAC allows organisations to define access policies based on dynamic combinations of attributes.

In the Azure world, ABAC is supported through the use of custom Azure roles combined with resource and request context attributes. For example, you could define a custom role that allows access to storage blobs only when the user’s department attribute matches the resource’s “department” tag. A real-world policy might say: “Grant read access to blobs if user.department equals resource.department.” This allows a single role definition to be reused across departments without hardcoding resource-level access rules.

This model is particularly useful for large-scale environments where traditional RBAC roles become unmanageable due to the explosion of permutations. ABAC helps reduce role sprawl while still enforcing strict, attribute-driven access boundaries.

Don’t let me butcher it anymore however, there is a great article on introducing ABAC via Microsoft here:
Introducing Attribute Based Access Control (ABAC) in Azure.

Posted on

Are Azure Access and Refresh Tokens the New NTLM Attack Vectors for Authentication in AD?

For years, NTLM has been the go-to protocol for attackers abusing authentication in traditional Active Directory environments. From relay attacks to password cracking and token manipulation, NTLM has seen its fair share of abuse. But as organisations shift to Microsoft’s cloud-first world—namely Azure AD—the battleground is changing.

So, the question being: Are Azure Access and Refresh Tokens becoming the new NTLM for attackers?

Lets take a look:

Access & Refresh Tokens – A Quick Primer

In Azure AD, authentication is no longer just about usernames and passwords. Instead, it’s about tokens. When a user successfully authenticates, Azure issues two important artefacts:

  • Access Tokens: Short-lived (typically 1 hour) tokens used to authenticate to specific services (e.g., Graph API, Azure Resource Manager).
  • Refresh Tokens: Longer-lived tokens (typically 90 days with sliding expiration) that can be used to obtain new access tokens without prompting the user to re-authenticate.

This modern authentication model is part of the OAuth2 and OpenID Connect stack and is deeply embedded in Microsoft’s cloud identity framework.

But here’s the catch: these tokens are just bearer tokens. Possess them, and you can use them. No passwords required.

What Makes Them Similar to NTLM?

Just like NTLM hashes, Azure tokens:

  • Can be stolen and reused.
  • Are used to authenticate without user interaction.
  • Can be passed between systems or APIs.
  • Are vulnerable to similar relay-style attacks in some flows (e.g., Device Code).

They’re not cryptographically bound to the user’s device (unless using newer Proof-of-Possession (PoP) tokens, which aren’t widely enforced, these essentially bind to a client device), which makes access and refresh tokens ripe for abuse in the same way as NTLM hashes once were.

Tooling: Weaponising the Token Landscape

Red Teamers and Pentesters now have a growing arsenal of tools to enumerate, manipulate, and reuse tokens within Azure AD environments. I have been recently using the below coupled with native tooling such as MS Graph and Azure Resource Manager where we can directly pass in the token as authentication:

  • TokenTactics – A modular toolkit for interacting with and abusing Azure access/refresh tokens. Perfect for token acquisition, manipulation, and reuse.
  • GraphySpy – Automates post-exploitation enumeration of Azure AD using valid access tokens, mapping out user privileges and group memberships.

Key Attack Vectors in Azure AD

Attackers now have multiple avenues to acquire and exploit tokens:

1. Device Code Phishing

The device code flow is designed for headless devices but has become a phishing vector. The user is tricked into authenticating via https://microsoft.com/devicelogin using a benign-looking code. Once completed, the attacker receives a refresh token linked to the victim’s session.

2. FOCI Tokens and Token Reuse

FOCI (Family of Client IDs) tokens are refresh tokens shared across multiple first-party Microsoft apps. If you obtain one, you can request access tokens for other services (e.g., from Teams to Graph to Azure Resource Manager), enabling lateral movement across cloud services.

3. Token Replay for Lateral Movement

Unlike NTLM relays in on-prem networks, attackers in Azure environments can replay access tokens across APIs, or exfiltrate refresh tokens and generate access to other services. This can be combined with enumeration techniques to identify other service principles and potentially high-privilege accounts with broader access.

4. Misconfigured Conditional Access Policies

Some Conditional Access setups allow token replay from unmanaged or untrusted devices, bypassing traditional device compliance controls. Attackers can replay tokens from their own systems without triggering alerts or prompts.

The Next NTLM?

As defenders harden NTLM usage and shift identity to Azure AD, attackers are following close behind. The abuse of Azure access and refresh tokens is quickly becoming the new frontier of identity-based attacks. We’re already seeing early signs of this trend in red team operations, with tokens increasingly providing the foothold or pivot needed to escalate access within cloud environments.

Final Thoughts

Token-based attacks aren’t theoretical anymore—they’re practical, real-world techniques that work right now in many Azure AD environments. Like NTLM before them, access and refresh tokens are becoming a focal point for both offensive security research and defensive detection engineering.

Expect to see this landscape mature rapidly over the coming months/years. And if your detection stack is still focused on failed logins and brute-force attempts, it’s time to start watching your token grants, consent flows, and refresh token usage instead.