Here is an example of a tenant using username and password. MSODS: MSODS is Microsoft Online Directory Services, a feature of Azure Active Directory that also includes Azure Active Directory B2B. OctoSeptember 30, 2018:Įvolved Security Token Service (eSTS): eSTS provides a stateless service that accesses multiple principal and key stores.ĮSTS absorbs the roles of multiple STSs, so that users see one Azure AD STS.ĮSTS relies on MSODS to hold information required to complete the authentication.ĮSTS supports a number of protocols including OAuth 2.0, Open ID Connect, WS-Fed, and Security Assertion Markup Language (SAML) protocol. But what is eSTS?Īccording to Microsoft Azure SOC 3 Report. eSTSīased on our observations, when logging in to Azure AD tenant, you are actually logging in to eSTS. The resource tenant user object has an array of alternativeSecurityIds and one of them (of type 5) equals the PUID (aka LiveId) attribute of the home tenant user object.
The two objects are linked to each other.
Microsoft calls these tenants resource tenants.Īfter user accepts the invitation, a corresponding user object is created to the resource tenant. Users are also able to log in to other tenants, if they are invited there as guests. Microsoft is calling this to home tenant. Users can log in to the tenant using the authentication methods configured by the administrators. Luckily, he did 😉 Azure ADĪzure Active Directory (Azure AD) is Microsoft’s Identity and Access Management (IAM) service used by Microsoft 365 and Azure, but also by thousands of third party service providers.Īn instance of Azure AD is called tenant. I replied to Sravan and asked him to DM me if he’d like me to have a look on his case. This story, like many others, began after a tweet: The blog is co-authored with and is based on his findings. We’ll introduce the issue, describe how to exploit it, show how to detect exploitation, and finally, how to prevent the exploitation. This blog post tries to shed some light on how Azure AD authentication works under-the-hood. However, because of Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants. Multi-factor Authentication (MFA) and Conditional Access (CA) policies are powerful tools to protect Azure AD users’ identities.įor instance, one may allow access only from compliant devices and require MFA from all users. Summary of the home tenant control options.Final response from Microsoft Security Response Center (MSRC):.
0 kommentar(er)
