Recently, cybersecurity company Wiz discovered a misconfiguration issue in Azure Active Directory (AAD) that resulted in unauthorized access to several applications, which could have also led to a Bing.com takeover.
What is Azure Active Directory:
Azure Active Directory (AAD) is a cloud-based Microsoft identity and access management (IAM) service. AAD is commonly used for authenticating Azure applications and offers various types of account access. Multi-tenant access is one of the options. Using it without proper restrictions could allow any user from any Azure tenant to issue an OAuth token, creating a security risk.
How the Microsoft authorization misconfiguration was identified
Wiz researchers unearthed how internal applications were exposed to external threat actors by performing red teaming using search results on the Bing search engine.
They also performed XXS attacks on Bing that led to the discovery that Microsoft Office 365 user data was vulnerable upon exploiting the Microsoft authorization configuration error.
The vulnerable user data included –
- Email addresses
- SharePoint documents
- Chat messages
- Outlook emails
- Calendar entries
- OneDrive files
Single Sign-On (SSO) is an authentication mechanism in Azure App Services. AAD offers account access including single-tenant, multi-tenant, a combination of two, personal accounts, etc.
To mitigate the risk of unauthorized access to multi-tenant applications, developers must verify a user’s original tenant and enforce access policies.
If your app needs to grant external tenant access, consider the following options:
- Require user assignment or use conditional access policies to limit access to authorized users only.
- Implement claims-based authorization logic by performing token checks within your application code.