Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers. Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021, also AD FS sign-in events are gathered and sent to Azure AD.

In this write-up (based on a Threat Analysis report by Secureworks), I’ll explain how anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log. Moreover, I’ll show how Global Administrators can register fake agents to Azure AD - even for tenants not using AD FS at all.

Exporting AD FS certificates revisited: Tactics, Techniques and Procedures

Exporting AD FS certificates revisited: Tactics, Techniques and Procedures

I’ve talked about AD FS issues for a couple years now, and finally, after the Solorigate/Sunburst, the world is finally listening :wink:

In this blog, I’ll explain the currently known TTPs to exploit AD FS certificates, and introduce a totally new technique to export the configuration data remotely.

Deep-dive to Azure Active Directory Identity Federation

Deep-dive to Azure Active Directory Identity Federation

Identity federation is regarded as the most secure way to authenticate users to Azure AD. In this blog, I’ll deep-dive to identity federation implementation of Azure AD and point out some serious security issues.

How to enable SSO for all browsers

How to enable SSO for all browsers

By default, AD FS only supports SSO with Internet Explorer. However, you can easily enable support for Google Chrome, Firefox, and Edge.