BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//FGWGXN
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-EZCTEQ@cfp.troopers.de
DTSTART;TZID=CET:20260624T141500
DTEND;TZID=CET:20260624T151500
DESCRIPTION:In the past\, several studies on Entra ID token exchange abuse 
 mainly focused on FOCI (Family of Client IDs) feature abuse and scope-base
 d Conditional Access bypass cases.\nAlthough prior work explored these are
 as in depth\, we noticed that the NAA (Nested APP Authentication) token ex
 change attack surface has not been widely discussed.\n\nIn this talk\, we 
 will discuss the undocumented risks of NAA token exchange and how NAA can 
 lead to Conditional Access bypass.\n\nFrom our findings\, we identified th
 e following:\n\n- NAA Undocumented Risk\nWhen an attacker compromises a Br
 oker Client\, such as Teams or Outlook\, the attacker can use NAA to obtai
 n the Azure Resource Manager user_impersonation scope.\nThis means that ev
 en if only a Broker Client exists on the device\, the attacker may still b
 e able to use NAA to compromise cloud resources.\n- Conditional Access Byp
 ass\nDuring our exploration\, we found that NAA can lead to Conditional Ac
 cess bypass\, including MFA bypass\, Require Compliant Device bypass\, and
  Token Protection bypass\, and we also identified two new bypass series: B
 roker Client–based bypass and Nested Client–based bypass.
DTSTAMP:20260510T030100Z
LOCATION:Track 2
SUMMARY:Nested APP Authentication - Undocumented Risk and Conditional Acces
 s Bypass - Jun Sheng Shi\, Shang-De Jiang
URL:https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/
END:VEVENT
END:VCALENDAR