Shang-De Jiang
Shang-De Jiang, also known as HackerPeanutJohn, is a deputy director of the research team of CyCraft. Currently, he focuses on research on Identity Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as DEFCON, TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.
Session
In the past, several studies on Entra ID token exchange abuse mainly focused on FOCI (Family of Client IDs) feature abuse and scope-based Conditional Access bypass cases.
Although prior work explored these areas in depth, we noticed that the NAA (Nested APP Authentication) token exchange attack surface has not been widely discussed.
In this talk, we will discuss the undocumented risks of NAA token exchange and how NAA can lead to Conditional Access bypass.
From our findings, we identified the following:
- NAA Undocumented Risk
When an attacker compromises a Broker Client, such as Teams or Outlook, the attacker can use NAA to obtain the Azure Resource Manager user_impersonation scope.
This means that even if only a Broker Client exists on the device, the attacker may still be able to use NAA to compromise cloud resources. - Conditional Access Bypass
During our exploration, we found that NAA can lead to Conditional Access bypass, including MFA bypass, Require Compliant Device bypass, and Token Protection bypass, and we also identified two new bypass series: Broker Client–based bypass and Nested Client–based bypass.