High

Microsoft Entra ID (formerly Azure AD) Conditional Access is designed to act as the core security gatekeeper in cloud identity environments, evaluating user location, risk signals, and device compliance before granting access. However, an authorized red team assessment by Researcher revealed a critical attack path that can bypass these protections entirely. Using only a single set of valid credentials often sourced from cybercriminal markets, the researchers were able to compromise a production tenant containing over 16,000 users, without deploying malware or interacting with corporate endpoints. This highlights a fundamental weakness in default device trust and registration validation mechanisms within cloud identity systems.

The attack began when blocked credentials triggered an AADSTS53003 error due to Conditional Access policies. Instead of stopping there, the researchers pivoted to the Device Registration Service (DRS) using a device code authentication flow that was not properly restricted. This allowed them to register a “phantom device” by generating a valid Azure AD certificate and private key, effectively impersonating a trusted endpoint. The DRS endpoint failed to verify whether the request originated from a legitimate Windows device, enabling even a Linux machine to register as a compliant identity object within the tenant.

Once the phantom device was registered, the attackers escalated access by minting a Primary Refresh Token (PRT) with falsified device claims. When exchanged for access tokens, Azure AD treated the session as coming from a trusted, device-compliant source, thereby bypassing Conditional Access policies requiring managed or compliant devices. Additional weaknesses in Microsoft Intune further strengthened the attack chain, as the platform accepted self-declared hybrid domain-join status without validating against on-premises Active Directory. This allowed the fake device to become “compliant” despite missing critical security controls such as BitLocker, Secure Boot, or antivirus, ultimately enabling access to internal applications and sensitive infrastructure metadata.

Beyond device spoofing, the research also exposed systemic identity risks in hybrid environments. A total of 255 highly privileged directory roles, including Global Administrators, were found to be synced from on-premises Active Directory, meaning compromise of local identities could directly lead to full cloud tenant takeover. To mitigate these risks, defenders are advised to enforce stricter Conditional Access policies that block device code flows, require MFA for device registration, and mandate TPM 2.0-backed attestation for token issuance. Additionally, organizations should rely on external device health validation services, restrict Graph API access to prevent large-scale enumeration, and ensure privileged roles are managed exclusively through cloud-only accounts protected by Privileged Identity Management.