Treat your Privileged Authentication Admins as Global Admins

Introduction:

I’ve been lately diving into different escalation paths in Azure AD and what I’ve realized is, that it’s possible to take-over a Global Admin account. Once a user is part of a directory role that’s called Privileged Authentication Administrator.

This role is described by Microsoft as the following:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#privileged-authentication-administrator

As Microsoft has documented it so well. Every user who’s part of this role is able to reset the password of a Global Admin account, which means that this role should be treated like a Global Admin.

It also states the following:

“Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next sign-in of all users.”

List of the following permission(s) that it has:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#privileged-authentication-administrator

However, the majority of companies are aware that Global Admins should have extra protection with the likes of MFA due to it’s high privileges it has.

This means that when we reset the password of a Global Admin. We still won’t be able to login, because the user needs to approve the request via the authentication app. That’s been said, there is a way around this.

Enumeration:

As you can see in this example. There is one user in the Privileged Authentication Administrator, role. Which is Gabi.

Let’s assume that we’ve managed to phish Gabi and we took over her account.

Now we are going to enumerate all the users in Global Admin.

We can see that there are 3 Global Admins. In our example, we are trying to take-over the account of Jan Oblak.

Execution:

Since we can reset the password of a Global Admin. Why not just do that, right?

When we have reset the password and tried to login. It would pop-up the MFA verification request that we need to approve, but we can’t do this. Since we don’t have access to the phone of Jan Oblak.

Account takeover:

Let’s get back to what Microsoft described:

“Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next sign-in of all users.”

It doesn’t say that users in Privileged Authentication Administrator are able to turn off MFA.

If we take a look at the least-privilege role that is required to disable MFA. It only says that Global Admins can do it.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#privileged-authentication-administrator

However, it looks like users in Privileged Authentication Administrator can disable MFA as well, but it hasn’t been documented.

Here we are disabling MFA of Jan Oblak, who is a Global Admin.

After we have done this, we can log on to the account of Jan Oblak.

Detection:

We can write a KQL query in Azure Sentinel to alert, when a user has disabled MFA on an account.

KQL query:

// Find out who disabled MFA
let timeframe = 7d;
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where OperationName == “Disable Strong Authentication”
| extend IniatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, IniatedBy, userPrincipalName, OperationName, LoggedByService, Result
| sort by TimeGenerated desc

Conclusion:

Users in Privileged Authentication Administrator are able to reset passwords and turn off MFA for every admin role. Including Global Admins. This means that you should treat users in Privileged Authentication Administrator equivalent to a Global Admin.

3 thoughts on “Treat your Privileged Authentication Admins as Global Admins

  1. Hi There, Would it be safe to assume, if Gabi’s account got hijacked because the account didnt have MFA turned on? And if so part of treating PIM users is that they have MFA on their accounts?

    Like

    1. You’re right. Privileged Authentication Admins is a pretty powerful group, which needs to be treated as Global Admins. So, in other words. All the security you have applied on your GA’s (e.g. Conditional Access Policies, MFA, Logging, etc) – Should absolutely be applied on users in Privileged Authentication Admin as well.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: