We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Bypassing Entra ID Conditional Access Like APT: A Deep Dive Into Device Authentication Mechanisms
Learn how attackers can bypass Entra ID device authentication by abusing Windows APIs and TPM keys. Deep dive into security flaws and critical mitigation strategies.
-
During device registration to Entra ID, two key sets (device key and transport key) are generated and stored in TPM
-
Attackers can bypass device-based conditional access by abusing internal Windows APIs and TPM-stored keys without requiring admin privileges
-
The PLT (Primary Refresh Token) cookie can be created and signed using internal Azure AD plugin functions and undocumented APIs
-
Windows Hello for Business keys stored in TPM can be leveraged for passwordless authentication bypass
-
Key authentication flows:
- Browser single sign-on using device key signatures
- API access using session keys
- PLT cookie creation using encrypted session keys
-
Mitigation recommendations:
- Require MFA in conditional access policies
- Monitor suspicious multi-account sign-in activities
- Implement stronger device-based access controls
- Review and harden conditional access policies
-
Attack chain:
- Compromise corporate device registered to Entra ID
- Access TPM-stored keys via undocumented APIs
- Create signed login requests with device keys
- Generate PLT cookies for account switching
- Bypass device-based access controls
-
Attack impacts:
- Lateral movement between cloud accounts
- MFA bypass capabilities
- Access to cloud resources as any user with credentials
- Device authentication mechanism abuse