Microsoft Entra ID Identity Governance Capabilities: 3 Potential Attack Paths and Mitigation Strategies

In November 2023, Gary Sun, a cybersecurity software engineer at CyCraft, presented research titled "From Guest to Global Admin: Abuse Azure IAM with Microsoft Entra ID P2 Features" at the AVTokyo 2023 security conference in Japan. Microsoft had rebranded Azure AD as Microsoft Entra ID in late 2023, expanding its identity and access management product line. While Azure AD was widely used for Identity and Access Management (IAM), Microsoft Entra ID introduced more refined identity governance features, aiming to address existing gaps between identity and access permissions through automated lifecycle management.

CyCraft's research team identified potential risks in Microsoft Entra ID's new features, which could be exploited for privilege escalation attacks. This article analyzes these potential attack paths and provides mitigation plans to proactively address them before any incidents occur.

Overview of Microsoft Entra ID

Microsoft Entra ID is an integrated cloud identity and access management service, offering a more convenient way to manage identities for employees, partners, and customers. It can be integrated with various applications, including Microsoft's SaaS applications, custom enterprise applications, and other cloud applications. It also supports hybrid and multi-cloud environments, allowing organizations to integrate on-premises accounts, applications, and resources.

Due to its extensive application scenarios, Entra ID's complexity can make it challenging for IT personnel to manage and allocate appropriate permissions based on business scenarios. According to Microsoft's 2023 State of Cloud Permissions report, only 5% of permissions are actively used, and up to 50% of identities have permissions to control all resources, which is likened to "Super Admins." Over time, as organizations expand, factors like increased business operations and personnel changes can lead to more permissions being granted without regular reviews, resulting in significant permission gaps. (Figure 1)

Therefore, utilizing visualization tools to inventory accounts and permissions within an enterprise environment is crucial. Currently, tools like AzureHound and StormSpotter can inventory Entra ID, both capable of visualizing IAM and creating understandable relationship diagrams for users to assess.

However, AzureHound and StormSpotter cannot examine the identity management solutions provided by Microsoft Entra ID or uncover potential risks associated with each feature. After evaluating all attack paths, CyCraft's research team identified three features that could be exploited by attackers for privilege escalation: Entitlement Management, Administrative Units, and Eligible Assignments.

Three Potential Attack Paths in Microsoft Entra ID's New Features

Entra ID's Identity Governance provides more identity management functions and controls from the perspective of corporate IT administrators to protect and manage identity authentication and access management within organizations, such as Conditional Access and Privileged Identity Management (PIM). It's important to note that while Entra ID and Azure share identity settings, their management is separate: Azure is allowed to  manage Azure resources only, while Entra ID is responsible for the management of identity authentication platforms.

After evaluating all Entra ID features directly related to IAM and potential attack paths, CyCraft identified three features with potential risks: Entitlement Management, Administrative Units, and Eligible Assignments. These three features fall under Role-based Access Control (RBAC), where roles define permissions, and users are assigned roles limited within specific scopes, highlighting roles, resources, and permissions as critical nodes in attack paths.

1. Entitlement Management

Entitlement Management allows users to automate request workflows and permission assignments to manage identity lifecycles. In cross-departmental collaborations, permission assignments can be complex, and individuals from different departments may not be aware of specific permission assignments. A common scenario is IT administrators, unfamiliar with personnel assignments in other departments, delegating some permission assignment rights to department heads, who then decide who can access different resources. (Figure 2)

With this feature, CyCraft discovered that resource categories can include Groups. If an attacker successfully controls a Catalog or Access Package that is containing high-privilege Groups, they can escalate privileges through this path by adding the compromised account as a Resource Role to control high-privilege Groups. (Figure 3)

2. Administrative Unit

Administrative Units allow users to restrict Entra ID roles to specific scopes, a permission that administrators might easily overlook. For example, when a user has the Group Admins role, it can act within a specific Group scope. In Entra ID, the default scope is the Tenant, but this feature can delineate specific scopes. Therefore, an attacker can add members to a Group to obtain the Group's permissions and operate on these Groups.

3. Eligible Assignments

Eligible Assignments manage the lifecycle of role assignments, enabling just-in-time (JIT) permission assignments. When a role is assigned, the user doesn't have operational permissions immediately; they must activate it to use the role's permissions (similar to "Run as administrator" in Windows or "sudo" in Linux). When role permissions are activated, identity verification is required based on settings, and records are kept.

However, verification during role activation is not enabled by default in this feature. Therefore, attackers can query role settings in advance to see there are any opportunities for privilege escalation. By doing so, not only does it increase the success rate of breaches, but it also helps to avoid being tracked down.

Case Analysis of Entra ID Attack Paths:

Privilege Escalation via Identity Governance

CyCraft researchers mapped out how hackers could escalate privileges through Identity Governance. In this scenario, the attacker initially controls an account with Catalog Owner permissions (akua). Since the Catalog contains a Group (Dead End) with Global Admin permissions, the attacker can add a Resource Role, making the compromised account become a member of that Group, thereby obtaining Global Admin permissions. (A detailed description of high-privilege roles can be found in the following paragraph.)

Mitigation Measures for Entra ID Attack Paths

To address the attack paths mentioned above, CyCraft provides mitigation measures by strengthening API Permission management, enabling enterprises and users to proactively deploy defenses. Since authorized API permissions allow operations between different applications, third parties and enterprises can access permissions through this method. This is a common strategy used by attackers; therefore, IT administrators verifying the appropriateness of API permissions is a basic and effective mitigation method.

1. Entitlement Management

• Inspect all Catalogs (including Groups) to confirm their necessity for business operations.
• Monitor the addition of resources from Catalog and Resource Role to Access Package incidents.
• Inventory Applications with the EntitlementManagement.ReadWrite.All permission (which allows to have the control over all Catalogs).
• Inventory high-privilege roles within Catalogs (Catalog owners can control Catalogs and Access Package Managers can control Access Packages).
• Inventory Identities with the Identity Governance Admin Role (which allows to have the control over all Catalogs).

2. Administrative Unit

• Inventory Applications with the AdministrativeUnit.ReadWrite.All permission (which allows to have the control over all Administrative Units).

3. Eligible Assignments

• Enforce security policies when activating roles, including MFA, manager approval, or other verification conditions.
• Monitor role activation events to ensure all activations are legitimate and expected.

Summary: Gaining Visibility into Attack Paths and Implementing CTEM Defense Strategies

At the end of 2022, the global IT consulting firm Gartner introduced the Continuous Threat Exposure Management (CTEM), marking a paradigm shift in cybersecurity defense mechanisms. CTEM integrates business values with IT management practices to reassess security strategies.

CTEM emphasizes attack path visibility, proactively identifying and assessing potential attack vectors before incidents occur. By continuously testing and validating security postures, organizations can achieve truly proactive defense.

Following the CTEM proactive defense approach, CyCraft’s research team has conducted an in-depth analysis of potential attack paths in Microsoft Entra ID. This research serves as a reminder to organizations: before adopting new products and features, it is crucial to fully understand their scopes and associated risks. Furthermore, CyCraft provides solid mitigation strategies, allowing organizations to patch vulnerabilities and strengthen defenses before attackers strike.

Only by knowing both yourself and your adversaries can you ensure victory in every battle.

Further Reading

1. Sun Wei-Kang & Su Jun-Ming (2023),"Has AD and Its Partners Misunderstood Zero Trust?" – Presented at CYBERSEC 2023.
2. CyCraft introduces the “XCockpit Privileged Account Impact Analysis Platform” – now available for free trial reservations.