Security boundaries should separate IT environments or solutions. However, often security boundaries are not static. They can be extended, intentionally or unintentionally. Unintended extensions can create vulnerabilities, potentially exposing sensitive data or systems. Therefore, managing these boundaries requires a dynamic approach, continuously monitoring and adjusting to ensure optimal security.

This article explores an example of how Microsoft Entra workload identities can inadvertently extend the security boundary of a Entra tenant to a foreign tenant.

What is a Security Boundary?

A security boundary is the definition of a logical or physical boundary that should separate IT environments or solutions. For a fresh Active Directory installation, the security perimeter is the forest. For Entra ID, it would be the tenant. Security boundaries can be intentionally or unintentionally extended by introducing relationships with other IT solutions that are not part of the initial implementation. Regular audits, robust protocols, and security tools can help maintain the integrity of these boundaries. Ultimately, the goal is to find a balance between accessibility and security, ensuring that the right entity has the right access at the right time. For more examples of relationships that can extend security boundaries, see the following article Attack Path Analysis.

What are Entra Workload Identities?

Entra Workload identities in the Microsoft Cloud describe non-personal accounts assigned to a workload, such as an application, service, virtual machines, script, or container, to authenticate and access other services and resources. Microsoft describes three three types of workload identities in there workload identites article.

• Application: Is global object representation of an application. It can be configured for single-tenant or multi-tenant use, allowing access to an application from outside of an organization. The latter is used for SaaS scenarios such as Exchange Online, Teams, Sharepoint Online, etc. Applications are managed through the App Registrations blade.
• Service Principal: Is the local representation of a global application object in a specific tenant. The service principal object defines what the application can actually do in a specific tenant, who can access the application, and what resources the application can access. A newly created Entra tenant has approximately 400 pre-configured service principals that correspond to applications such as Microsoft Teams, Sharepoint Online, Exchange Online, or Microsoft Graph. Creating a custom application in the Entra portal or via the API creates two entities: an application and a service principal.
• Managed Identity: A special type of service principal that eliminates the need to manage credentials. There are two subtypes. The system-assigned managed identity, which is assigned to a specific Azure-managed resource and is bound to the lifecycle of that object. The second type is called user-assigned, which is a standalone identity that can be used by multiple resources.
• Service Accounts: Another type of workload identity not mentioned by Microsoft is a service account in the form of a cloud-only or hybrid user account. Often used for third-party applications to interact with cloud applications that either do not fully support service principals or for migration purposes.

Entra Service Principal Access Management

Access for service principals to resources can be assigned with delegation or application API permissions and requires administrator or user consent.

• Delegated API Permissions: allows the application to gain access on behalf of the logged-in user. This is most often used for interactive sessions and is limited to the scope of the specific user.
• Application API Permissions: allows the application to access a resource without a logged in user and is typically used for background or automated workflows.

Entra API Permissions

API permissions authorize the service principal from the application to call other public APIs if consented by users or administrators. API permissions often come in the Resource.Operation.Constraint scope format. For example, Directory.Read.All means that the principal granted this permission can read data in the tenant, such as users, groups and apps.

Entra App Roles

App roles define access definitions to the local application. One role can grant multiple permissions. For example, the Microsoft Graph application has several application roles defined. Directory.Read.All is one of them. The easiest way to verify the detailed API permissions granted by, for example, the Directory.Read.All app role is to visit Merill Fernando’s Microsoft Graph Permission Explorer website.

Example of a Security Boundary Violation

After a brief introduction to what Security Boundaries, Entra Applications and Entra Service Principals are, the next chapter uses a very practical example to show how a multi-tenant application can introduce a Security Boundary risk. If the explanations above were too brief, the article by Thomas Naunheim explains Entra Workload Identities in detail. Andy Robbins from SpecterOps has also published an article on the recent Microsoft breach What happened? What should Azure Admins do? in which he explains in great detail how external multi-tenant applications were used during the breach. Both articles are highly recommended reading.

Setting the stage

The mytenant.onmicrosoft.com tenant administrator registers a multitenant application from the foreigntenant.onmicrosoft.com tenant. The application promises smooth Entra role management. After the global administrator accepted the application with the scopes RoleManagement.ReadWrite.Directory and Directory.Read.All, a service principal is automatically created in the mytenant.onmicrosoft.com tenant as a local representation of the application. This action inadvertently extended the security boundary to the untrusted foreigntenant.onmicrosoft.com tenant.

The following step-by-step POC explores in detail the implications shown in the figure above.

Prerequisits

• Two Entra ID Tenants (In this example the mytenant.onmicrosoft.com and the foreigntenant.onmicrosoft.com)
• Global Administratore role in both tenants

Step 0 (Foreign Tenant): Create an application in the portal

• Log in as a Global Admin to the foreigntenant.onmicrosoft.com at https://portal.azure.com
• Open Microsoft Entra ID
• Go to App registrations
• Click New registration
  • Name: foreignApp
  • Support account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
    
• The application, including a service principal, should have been created with a unique object and client ID
  
• In the foreignApp page goto Quickstart
  • Select Daemon application
  • Select one of the platforms e.g. Node.js console
    
  • Copy the generated consent URL under standard user. The URL will be needed later for step 1
    
• In the foreignApp page goto Certificates & secrets
  • Create a client secret and store it for later
• In the foreignApp page goto API permissions
  • Click Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for RoleManagement.ReadWrite.Directory and Directory.Read.All
  • Select Add permissions for each of the App roles
  • You do not need to consent the API permissions for this tenant
    

With step 0 completed we are ready to register the foreignApp application in the mytenant.onmicrosoft.com. The setup could be improved by creating a web application and adding a reply address. However, this is optional for the POC.

Step 1 (My Tenant): Register the foreignapp application

• Log in as a Global Admin to the mytenant.onmicrosoft.com at https://porta.azure.com
• Browse to priviously generated consent URL e.g. https://login.microsoftonline.com/organizations/adminconsent?client_id=e037294a-d64a-4242-977a-3868012d69a5
• If you are logged in, a popup will appear asking you to review and accept the foreign application. The first sign you should be concerned about is that the application has not been verified. But with a bit of effort this could be changed to verified by following the Publisher Verification steps. The second sign is text highlighted in red. This application is asking for application permissions. Not really obvious to see, and it requires opening the closed details pane. Looking at the text highlighted in green, we can see that this is a user delegation. Delegations are a less powerful than application permissions, but not harmless either. If you are interested in OAuth 2.0 token phishing with malicious applications, read the article Creating a Malicious Azure AD OAuth2 Application from nyxgeek (TrustedSec)
  
• After pressing accept you succesfully handed over the mytenant.onmicrosoft.com tenant to the foreignapp.onmicrosoft.com organization. Whoever that is (?) You could check some publicly available information using the handy tenant information OSINT tool from DrAzureAD. But what has actually happened in the background? By the way, the error: No reply address is registered for the application can be ignored as everything worked fine also without a reply address
• Still using your Global Admin from mytenant.onmicrosoft.com, go to Enterprise Applications in the Azure portal. You will see that a Service Principal named foreignApp has been successfully created to represent the multitenant application. You can compare the application ID with the application (client) ID in step 0. They are the same.
  
• By opening the Service Principal foreignApp and navigating to Permissions, the previously approved permissions can be seen including the admin consent status.
  

Ok, the stage is set, now for the fun part.

Step 2 (Foreign Tenant): Login with the service principal

The next steps are scripted, as this is the only way to log in with a service principal. The script is called consentIsTheMindkiller.ps1 and can be found in the gist repository.

• First, some variables need to be set, the comments in the script will show you the way

$myTenantId = "cdfdd915-..." # The tenant registering the foreign application (Source: My Tenant)
$foreignTenantId = "d2a16643-37f9-..." # The tenant who is hosting the application (Source: Foreign Tenant)
$spPassword = "1N98Q~qo7oKGhA3L~t~OgQKVDPL.iasdas32" # The client secret from the app (Source: Foreign Tenant)
$appName = "foreignApp" # The app name (Source: Foreign Tenant)

• Before we can login with the service principal we use our Global Administrator from the foreignapp.onmicrosoft.com tenant to get the Application ID

$foreignApp = Get-MgServicePrincipal -All -Filter $appFilter

• Now the script uses the application ID and tenant ID from the tenant mytenant.onmicrosoft.com to login with the credentials from foreignapp.onmicrosoft.com to the mytenant.onmicrosoft.com tenant.

$spPwd= ConvertTo-SecureString $spPassword -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($foreignApp.AppId, $spPwd)
Connect-MgGraph -TenantId $myTenantId -ClientSecretCredential $psCred -NoWelcome

• With the RoleManagement.ReadWrite.Directory application role granted in step 1, the script adds the foreignapp service principal to the Global Administrator role.

$globalAdmin = Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Global Administrator" }
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $globalAdmin.Id -BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($foreignsp.id)"}

Granting privileged application permissions to a foreign application effectively extends the security perimeter to the foreign application tenant. After all, this is how SaaS works. However, we haven’t found a way for the foreign tenant to know who has signed up to the multi-tenant application over the Azure portal or the Graph API. This would be possible, of course, if the third party hosted a website that directed people to register and ultimately use the application. But if you end up in a tenant and find many foreign multi-tenant apps, it would not be trivial to find a victim tenant to abuse the scenario described above. Unless it is a known application.

What can we do about it? Firstly, it is critical to vet any foreign SaaS application before agreeing to any application permissions or delegations. After that, the following step 3 helps to review already existing foreign service principals in a tenant.

Step 3 (My Tenant): Find foreign service principals with application permissions

In this step, we are the administrator of the mytenant.onmicrosoft.com tenant that previously accepted the application permissions.

• The script will prompt you to log in with an administrator from the mytenant.onmicrosoft.com tenant who is authorised to read service principal information.
• The script queries all Service Principals that have a Tenant ID other than mytenant.onmicrosoft.com via the AppOwnerOrganisationId attribute. The result is displayed on the command line and in the PowerShell Grid view.

$foreignsp = Get-MgServicePrincipal -All | Where-Object { $_.AppOwnerOrganizationId -ne $myTenantId -and $_.AppOwnerOrganizationId -ne $null }

• The approleValue and appDisplayname are the granted app roles to the resourceDisplayName

In a production tenant, Step 3 is an important audit task to check the permissions of foreign service principals. Step 3 is also available as a separate script. The script is called checkForForeignServicePrincipals.ps1 and can be found in the gist repository.

Conclusion

One of the many challenges in any IT environment, and especially in the cloud, is not inadvertently extending the security boundary to an unknown, untrusted entity. In a Microsoft cloud tenant, there are several ways to extend the security boundary, for example with Azure Lighthouse, granular delegated admin privileges (GDAP), multi-tenant applications, third-party solutions that only support cloud-only accounts, third-party agents on IaaS workloads, or DevOps solutions. In an Active Directory environment, we have similar challenges, although the cloud has a more dangerous attack surface. As the example above shows, it only takes one click from a privileged administrator to introduce a security boundary violation to an unknown tenant. This makes it all the more important to know what the security boundary of a given tenant really is, and to test new functionality in a non-production tenant. IT administrators should be adequately trained to have the knowledge to operate a cloud environment. We often find that Workload Identities and their capabilities are not fully understood during our assessments, which is why they are listed in our Top 10 Riskiest Cloud Configurations. Microsoft also does not make it easy to manage and audit Workload Identities and their permissions. Tools such as ROADTools, BloodHound, scripts like Export-MsIdAppConsentGrantReport or automated monitoring of Workload Identities permissions and changes as described in Hunting Service Principals with Microsoft Sentinal can help to get Workload Identities under control.

About the Author

Marius Elmiger is a security professional since the early 2000’s. He worked in various IT roles such as an administrator, engineer, architect, and consultant. His main activities included the implementation of complex IT infrastructure projects, implementation of security hardening concepts, and compromise recoveries. Later he transitioned to the offensive side. As a foundation, in addition to numerous IT certificates, Marius graduated with an MSc in Advanced Security & Digital Forensics at Edinburgh Napier University. (ORCID 0000-0002-2580-5636)

Links

• https://aadinternals.com/osint/
• https://cyberdom.blog/2023/01/13/hunting-service-principal-with-microsoft-sentinel/
• https://gist.github.com/m8r1us/2b97604b6dd42809a52ca31315a4998a
• https://gist.github.com/m8r1us/86434d2fb7b9e31a71ba4295d6cb2a3a
• https://github.com/AzureAD/MSIdentityTools/wiki/Export-MsIdAppConsentGrantReport
• https://github.com/SpecterOps/BloodHound
• https://github.com/dirkjanm/ROADtools
• https://graphpermissions.merill.net/permission/Directory.Read.All#graph-methods
• https://learn.microsoft.com/en-us/entra/identity-platform/developer-glossary#scopes
• https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview
• https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview
• https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
• https://www.cloud-architekt.net/entra-workload-id-introduction-and-delegation/
• https://www.trustedsec.com/blog/creating-a-malicious-azure-ad-oauth2-application