The promise of Microsoft Azure Active Directory’s Conditional Access is a strong one: to protect your company by restricting access to cloud and on prem apps to authorized users and devices, on the basis of policies you can define.

However, as is often the case, hackers have found ways around these protections.

Here is a little guide to answer your questions: what is Azure AD Conditional Access ? How can hackers bypass it ?

What is the Azure Active Directory Conditional Access?

Conditional Access is a cornerstone of the zero trust cloud cybersecurity policy of a company.

Conditional Access adds an additional security layer by restring access to apps to trusted devices that comply with certain criteria. It’s based on the analysis of contextual elements and the subsequent application of rules.

It’s therefore paramount to correctly setup the rules to follow and the policies in the event of a failure to comply.

From the Microsoft website

How can hackers bypass Azure AD’s Conditional Access?

When a hacker will try to connect, once they have gathered credentials, they will be confronted with an error message.

The key for the hacker trying to connect is therefore to analyze the error message sent by the system to the user in the event of a failure to connect. This will provide insight into which policy is preventing the successful log-in.

But first of all, a hacker needs credentials.

Obtaining credentials

Hackers have multiple techniques to get credentials:

  • Phishing: Hackers can obviously use spear-phishing techniques and copy legitimate log-in pages, enabling them to gather the credentials of their targets
  • Purchases on the dark web: when a hacker doesn’t want to bother with gathering credentials themselves, they will rely on specialized groups (Initial Access Brokers) who sell access to companies on the dark web. A hacker therefore only needs a credit card (or, more often, crypto currency) to make his purchases. For example, one can find this kind of ad on the dark web, offering a listing of companies from various countries (Jordan, Thailand, Saudi Arabia…) with the number of employees, the revenue, the type of access and a price. Sometimes, only credentials are sold (which is less expensive than full access)
  • Password guessing: finally, if they don’t want to buy or phish, hackers can sometimes simply guess passwords through brute force techniques

Once they have these credentials, they can turn to bypassing Conditional Access.

Step 1 to bypass Conditional Access:

As with every cybersecurity solution, a tool is only effective if it’s deployed correctly (this is true for every tool, from anti-spam to awareness training to setting up multi-factor authentication).

Among the set-up mistakes we often see, we can highlight:

  • Exclusion groups: it’s always a good idea to have one or two accounts that aren’t included in Conditional Access. This allows you, in an emergency, connect rapidly and securely. That being said, in a lot of companies, these groups aren’t maintained appropriately and we end up seeing users in them that don’t require this kind of privilege, users who’ve left the company… All these represent potential vulnerabilities.
  • Poorly defined block policies: Conditional Access works by defining conditions, and assigning a block policy if these conditions aren’t met. But it’s important to actually set up the block policy: if that’s not done, it will make the life of hackers easier

Step 2 to bypass Conditional Access: bypassing access conditions

Access conditions are a first filter. An example is to have to connect from pre-approved IP addresses (not mentioning the fact that this is particularly cumbersome…).

For a hacker, it’s necessary to validate these initial conditions.

And they can be bypassed. The techniques depend on the condition chosen and used.

Here’s an overview of some access conditions and the tactics hackers can use to bypass them.

User sign-in

  • This condition is based on the behavior of the user compared to their normal behavior  (new country or masked IP address for example)
  • Hackers have to do some research and use the right tools to imitate the normal behavior of the user whose credentials they’re using as much as possible - like for example not using a masked IP address

Device platform

  • This condition is based on the device’s operating system
  • This condition is easy to bypass since it’s based on a browser string that can be easily edited. Conditional Access interprets the user-agent string to determine the operating system, but a hacker could edit this string and fit the required condition

Location

  • This condition is based on the IP address. The admin can limit connection to certain IP addresses or certain countries.
  • If the condition is limited to countries, hackers can find a way around this using a VPN. If the condition is a restriction to certain specific IP addresses, hackers will have to find a way to go through one the addresses, by having a foothold on the network for example (this condition is particularly cumbersome)

Step 3 to bypass Conditional Access: bypassing access controls

Once access conditions have been bypassed, access might be granted.

But sometimes, hackers are then faced with access controls. These are a second layer of security, once that access conditions have been validated, and in the event of failure connection is refused.

Among the different access controls to validate (and bypass), we can highlight :

Multi-factor authentication (MFA)

MFA is probably the access control that is the most used. It adds a layer of protection by requiring a second authentication through an alternative channel (push notification on a mobile device, one-time code received via text message…). This is an excellent policy to adopt but it can be bypassed by hackers:

  • Through man-in-the middle attacks using tools like Evilginx that mimic a log-in page while replicating the user’s actions (like the typing of a one-time code) in the real interface in order to steal the user’s MFA session tokens
  • By using social engineering to obtain the one-time codes sent via text message
  • By using “MFA bombing”, as was the case in the 2022 Uber attack. In this attack, the victim was sent a great number of MFA notifications as well as a Whatsapp message from the hackers passing for Uber’s IT Team and asking the target to approve these notifications, which ultimately enabled the hackers to access their account.

Hybrid Azure AD joined device

  • This control applies to devices registered both on your Azure Active Directory and your on-prem Active Directory
  • The best option to bypass this control is for hackers to execute the attack on-prem, since the device needs have network line-of-sight with your local domain servers in order to be recognized as valid. For example, hackers can deploy malware on a device, which will enable them to conduct their attack subsequently.

Intune compliant device

  • This control is based on compliance of a device with Microsoft Intune (a device management tool) policies (in Intune, these are called “compliance strategies”).
  • In order to bypass this control, the deviance must be compliant with the company’s Microsoft Intune policies. To achieve this, hackers can either execute the attack on-premise, or use tools in order to register a fake device in Azure AD and then register it with Intune policies. Finally, it’s always possible for them to deploy a malware on a device and execute the attack from this device.

Conclusion

Azure’s Conditional Access adds guarantees regarding access authorizations on your network.

That being said, it’s important to take care of the set-up and to keep in mind that Conditional Access is not fail-proof due to the information (the error messages sent by the system can provide the hackers with precious indications) provided and to the possible ways the conditions can be bypassed.