DirkJan Mollema (Outsider Security)

Microsoft Entra ID (formerly Azure AD) offers many options to harden your tenant against attackers.
Most of these options are enforced using Conditional Access policies, which for example allow you to restrict users to authenticate with only phishing resistant MFA methods such as Yubikeys and Windows Hello for Business. These MFA methods are resistant against common attacks, such as attackerinthemiddle attacks via fake login pages, because they will only authenticate against the real Microsoft websites. There is however a catch: the provisioning of such MFA methods is often done from scenarios where such strong authentication cannot be enforced, such as during the device setup. In this talk we will see that by phishing for regular refresh tokens, using some tricks that Microsoft uses during the Windows installation, we can actually obtain a Primary Refresh Token and even provision these Phishing Resistant authentication methods by ourselves. The talk will also cover new mitigations that Microsoft introduced to combat these attacks, and what you can do to protect your tenant.