Jun Sheng Shi
Jun Sheng Shi is a security researcher at CyCraft Technology, focusing on cloud identity security and authentication protocols. His research focuses on Microsoft Entra ID token exchange mechanisms, including FOCI and Nested Application Authentication (NAA). He specializes in discovering authentication bypass techniques and analyzing complex access control behaviors in modern cloud environments.
Session
In the past, several studies on Entra ID token exchange abuse mainly focused on FOCI (Family of Client IDs) feature abuse and scope-based Conditional Access bypass cases.
Although prior work explored these areas in depth, we noticed that the NAA (Nested APP Authentication) token exchange attack surface has not been widely discussed.
In this talk, we will discuss the undocumented risks of NAA token exchange and how NAA can lead to Conditional Access bypass.
From our findings, we identified the following:
- NAA Undocumented Risk
When an attacker compromises a Broker Client, such as Teams or Outlook, the attacker can use NAA to obtain the Azure Resource Manager user_impersonation scope.
This means that even if only a Broker Client exists on the device, the attacker may still be able to use NAA to compromise cloud resources. - Conditional Access Bypass
During our exploration, we found that NAA can lead to Conditional Access bypass, including MFA bypass, Require Compliant Device bypass, and Token Protection bypass, and we also identified two new bypass series: Broker Client–based bypass and Nested Client–based bypass.