-
Notifications
You must be signed in to change notification settings - Fork 0
z Investigation of MFA bypass using Microsoft Graph API.
Investigation of MFA bypass using Microsoft Graph API.
The Microsoft Graph API: is a unified API endpoint provided by Microsoft, which allows developers to access data and services across the entire Microsoft 365 platform, including Azure Active Directory (Azure AD), SharePoint, OneDrive, Outlook, Teams, and more. It is an essential tool for building applications that interact with the Microsoft 365 ecosystem, offering a single endpoint (https://graph.microsoft.com) to access and manage a wide range of resources and services.
Authentication to Entra ID using Microsoft Graph API. There are a handful ways of authenticating to Entra ID using Microsoft Graph API, some of which include:
- Microsoft Graph REST API: This authentication mechanism involves the direct use of HTTP requests to the Microsoft Graph API endpoint (https://graph.microsoft.com) using any programming language or tool that supports HTTP requests. Although this is a HTTP request protocol, it however requires an access token. Which will necessarily require the creation of a service principal and thereafter generating its client secret. This service principal will also need to have the right permission to be able to authenticate to Azure.
- Microsoft Graph powershell module: This option of authenticating to Entra ID leverages the use of Powershell commandlet to authenticate to Entra ID. This effectively requires the use of different flags to condition different authentication routes. Each flag will effectively require either user credentials or leverage on Azure Service principal for authentication.
In the case of using the user routes, and under correct condition, the organization’s tenancy is presently configured to enforce all users to go through MFA before a successful authentication to Entra ID. This means that regardless of the authentication mechanisms, MFA will still be required to authenticate to Entra ID when using the user routes to sign in.
- Graph Explorer is a web-based tool provided by Microsoft that allows you to interactively test Microsoft Graph API requests and view responses. This authentication mechanism leverages on GUI and also requires MFA.
All the above authentication mechanisms were tested and were all prompted for MFA.
Even though the Microsoft Graph API is configured on our tenancy, I attempted enabling conditional access and I got the below result.
https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade
CONCLUSION: Based on investigation and the above screenshot, the organization is presently leveraging the Microsoft recommended MFA security default. With this, Microsoft noted that 99.9% of account compromise could be stopped by using MFA which is a feature that the security default provides.
The recommendation will be to continue leveraging on the Microsoft default MFA rather than customising a custom conditional access policy.