[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.6\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n
Product<\/strong>: Entra ID Conditional Access is Microsoft's Zero Trust policy engine to use identity-driven signals to enforce granular access control decisions. Privileged Identity Management (PIM) is a service in Microsoft Entra ID that provides just-in-time access to directory roles. Roles can be assigned eligible and only activated when needed.<\/p>\n Assume Conditional Access is used to protect privileged users by including directory roles. In the worst-case, there are no Conditional Access policies that apply to every user, hence leaving the administrative users fully unprotected. Assume that an attacker knows the username and password of a user who is eligible to activate and use administrative roles via PIM.
Affected Version<\/strong>: SomeVersion
Vulnerability Type<\/strong>: Insufficient Granularity of Access Control (CWE-1220)
Security Risk<\/strong>: High
Vendor<\/strong>: Microsoft
Vendor URL<\/strong>: https:\/\/microsoft.com<\/a>
Vendor acknowledged vulnerability<\/strong>: No
Vendor Status<\/strong>: Not fixed
CVE Number<\/strong>: Not requested yet
CVE Link<\/strong>: Not requested yet
Advisory ID<\/strong>: usd-2025-73<\/p>\nDescription<\/h3>\n
It is common, that administrative users are secured using Conditional Access.
Therefore, a distinct set of Conditional Access policies can be applied specifically to the admin persona.
One commonly used option to apply Conditional Access policies to administrative users is to include specific built-in directory roles.
According to the documentation<\/a> in this case, the Conditional Access policies apply to users actively assigned a directory role.<\/p>\n
Furthermore, assume an administrative user does not have any active role assignments but is eligible for a privileged role.
If this user signs in, the Conditional Access policies will not apply. The user is now able to get an access token for their own identity.
Next, the user can activate the directory role using PIM in the browser.
In the browser, the user is now required to fulfill the Conditional Access requirements.
If the requirements are not met, the user is not able to access anything protected with Conditional Access in the Browser.
However, the previously issued access token remains valid and can be used with the now actively assigned permissions.
This allows bypassing every Conditional Access policy that is designed to protect administrative identities by including directory roles.<\/p>\n
In this case, only the user account name and password would be required to compromise an administrative account.
In addition - because the mandatory MFA enforcement requires MFA to access the admin portal - an attacker would need to wait until the legitimate user activates an administrative role.<\/p>\nProof of Concept<\/h3>\n
The administrative account has an administrative directory role eligible assigned.
There are only Conditional Access policies that target administrative directory roles.<\/p>\n