Pass the CA
Pass-the-CA is the way to bypass Azure AD Conditional Access policies. Currently, there are four techniques to avoid CA policies, and the following one in this post is the most simple technics to bypass Azure AD Conditional Access. This post focus on how to Pass the CA.
An administrator can use signals from conditions such as User, risk, device, or location to improve their policy decisions via Azure AD Conditional Access within an Azure AD Conditional Access policy.
The Azure AD Conditional Access protects token issuance, and the policies are evaluated after authentication. They’re set to be in scope for the token request at sign-in or when using a refresh token to obtain a new access token. The critical concept to understand is that what you see in Azure AD Conditional Access as “Cloud Apps” indicates the token audiences that the policy is protecting.
So, how is your cloud security these days? Hopefully is with the right tools and procedures.
Azure AD Device-based Conditional Access
Azure AD Device-based Conditional Access defends resources from users who attempt to access these resources, for example, unknown or unmanaged devices that don’t meet Azure AD security policies.
You can set policies based on the following standard requirements:
- Domain-joined devices can use a policy that will restrict access to devices joined to an on-premises Active Directory domain registered with Azure AD.
- Compliant devices allow setting a policy to restrict access to marked compliant devices in the management system directory. You can use this policy to limit access from the following devices:
- Domain-joined devices that managed and were part of hybrid configuration
- iOS and Android devices – Managed by Intune
- Personal devices – Managed by Intune or by a supported third-party MDM
Note: Access can be denied if attempted on a device that doesn’t meet policy requirements.
The Security Issue
“The device platform is characterized by the operating system that runs on a device. Azure AD identifies the platform by using the information provided by the device, such as user-agent strings.
Since user agent strings can be modified, this information is unverified. The device platform should be used in concert with Microsoft Intune device compliance policies or as part of a block statement. The default is to apply to all device platforms.”
for more information, Conditional Access: Conditions from Microsoft DOCS
The Azure AD Conditional Access detection for these device platforms relies on the web browser’s user-agent string or application. This condition can easily be spoofed.
Once enabling device platform condition selection, the user won’t get any Conditional Access policies!
Azure AD Conditional Access Rule with the following policy:
- Specific User (test in my scenario)
- All cloud apps
- Windows 10 selected as the device platform
- Access control: Block
Once the condition is applied, we can start the test, and here are the results from Windows 10 device and Android device:
Login from Windows 10 device is blocked as configured with Azure AD Conditional Access, and this is how it looks like from the user perspective.
From the Azure AD Sign-in logs perspective, it looks like the following result. Good for us, no? the User is blocked.
And let’s do the same login test from the windows ten device via browser emulator (android or iPhone emulator) to Office 365 portal. From this point, it seems the User can access it without any problems.
from Azure Ad Sign-logs, it looks like everything is successful from the Android device
Note: even if you’re applying MFA for a user with a clear text password, the MFA condition won’t apply to these users
How to Avoid Device Bypass
The following test and success bypassing are falling into part of misconfiguration, and to avoid overlooking situations like the one below, follow these essential points:
- Apply minimum access level form devices such as device compliance
- Create an Azure AD Conditional Access policy that including the Any device
- Make sure to pull out admin accounts from this policy and apply them to dedicate policies
- Devices or applications must not be a part of common platforms (via approach)
- Make sure that there’s an Azure AD Conditional Access policy applicable for every platform
for more information Azure AD blog-posts