Avoiding Privilege Escalation: Best Practices for Securing Azure AD Applications

Estimated read time 3 min read

If you are a cybersecurity enthusiast, then you must have heard of the recent insecure anti-pattern found in Azure AD applications. Thanks to Descope’s vigilant reporting, Microsoft is now on the ball, developing mitigations for this security issue. It’s a reminder that even the smallest overlook can potentially create a loophole big enough for unauthorized access and data leakage. Buckle up, we’re about to dive into the details!

The Risk with Email Claim

Email claims from access tokens have been a handy tool for authorization. However, it appears that using them can potentially lead to an escalation of privilege. An attacker, with just the right know-how, can falsify the email claim in tokens issued to applications. This, in turn, can result in significant threats of data leakage if applications use such claims for email lookup.

Therefore, Microsoft suggests taking a backseat with email claims when it comes to authorization. In fact, if you’ve been using the email claim for authorization or primary user identification, your application may be at risk of account and privilege escalation attacks.

The Developer’s Defense

Microsoft is encouraging developers to review their application’s authorization business logic. This step will protect applications from unauthorized access. Microsoft has also put together some best practices for token validation on their identity platform. These should be followed religiously to ensure safety. And if you’re using third-party applications, it’s best to confirm that your vendors also stick to these practices.

Keeping a Check on your Application’s Source Code

It’s crucial to regularly review your application’s source code. Specifically, look for places where emails might be used for primary user identification or authorization. These practices expose your application to the risk of account escalation attacks.

How Are the Customers Affected?

Microsoft has been proactive, identifying several multi-tenant applications with users using an unverified domain owner email address. Application owners have been notified and provided with guidance. However, if you didn’t receive any notification, your application is likely safe from consuming email claims with unverified domain owners. In the interest of further security, Microsoft is omitting token claims from unverified domain owners.

The Technical Gritty-Gritty

The vulnerability stems from AAD users who do not have a provisioned mailbox. Their Mail attribute can be any email address, which isn’t necessarily from a verified email. If a rogue admin within a single tenant app modifies an AAD user with an impersonated email, and an application uses that unverified email claim for authorization, we’re looking at potential unauthorized access. The risk magnifies with multi-tenant applications.

Securing Azure AD Applications

Applications should abandon the usage of email claims for authorization due to their mutable nature and non-uniqueness. Microsoft recommends going through the documentation providing guidance on migrating away from email claim usage. Developers should religiously follow the best practices for claims-based authorization, especially if your application is currently affected.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author