Bypassing Entra ID Conditional Access Like APT: A Deep Dive Into Device Authentication Mechanisms

-

Learn how attackers can bypass Entra ID device authentication by abusing Windows APIs and TPM keys. Deep dive into security flaws and critical mitigation strategies.

Key takeaways
  • During device registration to Entra ID, two key sets (device key and transport key) are generated and stored in TPM

  • Attackers can bypass device-based conditional access by abusing internal Windows APIs and TPM-stored keys without requiring admin privileges

  • The PLT (Primary Refresh Token) cookie can be created and signed using internal Azure AD plugin functions and undocumented APIs

  • Windows Hello for Business keys stored in TPM can be leveraged for passwordless authentication bypass

  • Key authentication flows:

    • Browser single sign-on using device key signatures
    • API access using session keys
    • PLT cookie creation using encrypted session keys
  • Mitigation recommendations:

    • Require MFA in conditional access policies
    • Monitor suspicious multi-account sign-in activities
    • Implement stronger device-based access controls
    • Review and harden conditional access policies
  • Attack chain:

    1. Compromise corporate device registered to Entra ID
    2. Access TPM-stored keys via undocumented APIs
    3. Create signed login requests with device keys
    4. Generate PLT cookies for account switching
    5. Bypass device-based access controls
  • Attack impacts:

    • Lateral movement between cloud accounts
    • MFA bypass capabilities
    • Access to cloud resources as any user with credentials
    • Device authentication mechanism abuse