Episode Details
Back to Episodes
Your MFA Is Useless: The Entra ID Attack Nobody Audits
Published 3 months ago
Description
(00:00:00) The MFA Illusion
(00:00:00) Consent Bypassing MFA
(00:00:54) The Power of OAuth Consent
(00:02:08) Persistence and Refresh Tokens
(00:02:27) Admin Consent: The Ultimate Key
(00:05:47) The Three Non-Negotiable Controls
(00:12:11) Case Study: MFA Fails to Stop OAuth Attacks
(00:16:48) Detection and Remediation Strategies
(00:25:06) Hardening and Ongoing Monitoring
(00:28:37) The Consent Control Key Takeaway
This episode is a drill for security leaders, identity admins, and anyone running Microsoft 365 / Entra (Azure AD). We walk through how attackers weaponize OAuth consent—not password theft—to gain persistent access to email, files, and directory data without triggering traditional MFA defenses. You’ll hear a full breakdown of:
(00:00:00) Consent Bypassing MFA
(00:00:54) The Power of OAuth Consent
(00:02:08) Persistence and Refresh Tokens
(00:02:27) Admin Consent: The Ultimate Key
(00:05:47) The Three Non-Negotiable Controls
(00:12:11) Case Study: MFA Fails to Stop OAuth Attacks
(00:16:48) Detection and Remediation Strategies
(00:25:06) Hardening and Ongoing Monitoring
(00:28:37) The Consent Control Key Takeaway
This episode is a drill for security leaders, identity admins, and anyone running Microsoft 365 / Entra (Azure AD). We walk through how attackers weaponize OAuth consent—not password theft—to gain persistent access to email, files, and directory data without triggering traditional MFA defenses. You’ll hear a full breakdown of:
- What illicit consent grants really are
- How refresh tokens and offline_access keep attackers in even after you reset passwords
- The three Entra controls that collapse most of this attack surface
- How to detect, prove, and remediate malicious OAuth grants in your tenant
- What Illicit OAuth Consent Grants Actually Are
- Why this is authorization abuse, not credential theft
- How a “harmless” Microsoft consent screen turns into:
- Mail.Read / Mail.ReadWrite → inbox and attachment visibility
- Files.Read.All / Files.ReadWrite.All → SharePoint & OneDrive sweep
- Directory.ReadWrite.All → identity pivot and tenant tampering
- Why MFA doesn’t fire: the app acts with your delegated permissions, using tokens, not logins
- The critical role of offline_access as a persistence flag
- How refresh tokens keep minting new access tokens long after you:
- Reset passwords
- Enforce MFA
- “Force sign-out” for a user
- Why OAuth consent lives in a different lane:
- User authentication events vs. app permission events
- Why revoking the grant beats resetting the password every time
- Delegated vs. application permissions:
- Delegated: act as the user
- Application: act as a service, often tenant-wide
- Lock Down User Consent
- Disable user consent entirely or
- Allow only verified publishers and low-risk scopes
- Exclude: offline_access, Files..All, Mail.ReadWrite, Directory.
- Require Verified Publishers
- Only apps with Verified Publisher status can receive user consent
- Force attackers into admin consent lanes where visibility and scrutiny are higher
- Enable & Enforce Admin Consent Workflow
- Route risky scope requests (Mail.Read, Files.ReadWrite.All, Directory.ReadWrite.All, etc.)
into a structured approval process - Require justification, business owner, and expiry for approvals
- Use permission grant policies and least privilege as the default
- Route risky scope requests (Mail.Read, Files.ReadWrite.All, Directory.ReadWrite.All, etc.)
- User approves a “Productivity Sync” app with Mail.Read + offline_access
- Attacker uses Microsoft Graph to read mail and pull attachments—quietly
- Blue team resets password, enforces MFA, forces sign-out
- App keeps working because the OAuth grant and refresh token still exist
- The only real fix: revoke the OAuth grant / service principal permissions