Rogue Administrators Escalating Accounts In Microsoft Azure AD

Reading Time: 3 minutes

Recently a permissions flaw was identified by Preempt Security that could potentially allow rogue administrators to escalate account privileges and gain unlimited access to a companies Microsoft Azure AD instance.


Microsoft has not yet released a patch to fix this bug, but rather has made a PowerShell script available that will adjust the permission of the Active Directory for Microsoft Azure AD instanced in conjunction with a piece of software to protect customers from the vulnerability. Microsoft has announced that future versions of the software will not be detrimentally affected by this vulnerability.

Microsoft stated, “Before this release, the account was created with settings that allowed a user with password administrator rights the ability to change the password to a value know to them. This allowed you to sign in using this account, and this would constitute an elevation of privilege security breach. This release tightens the setting on the account that is created and removes this vulnerability”

This issue allows those users who are ‘trusted’ to utilize limited or temporary privileges within the domain to perform functions such as changing passwords, add users to the administrative group or even as simple as escalating privileges.

Roman Blachman, CTO and co-founder of Preempt Security went on to discuss that ‘stealthy admins’ can increase their access to a domain over time or in a silent attack. One of the scenarios he spoke of was if a rogue technical support representative decided to use their limited privilege of password management to adjust the domain’s administrator password – then – log in as the domain admin and either create their own domain admin level account or to raise the permission level of an existing account they also adjusted the password of.

“The flaw allows a support operator to replicate all of the domain passwords of every user and compromise any account in the domain and give themselves full administrator rights,” Blachman said. “So, this support operator could go from having limited access to making themselves a domain admin.”

Another attack that was discussed was again – if a rogue admin with limited privileges – had access to remove or add users from the administrative group itself, could just add themselves into said group and be granted a higher level of authority and functionality within the domain.

To further increase your heart rate, especially if you have a Microsoft Azure Active Directory Instance – Preempt Security said that many stealthy admins would also target MSONline ( MSOL ) PowerShell – a high functioning module that is part of Microsoft Azure Active Directory – mainly due to the ability to function as a service account with little to no fear of being identified. “Such (service) accounts are often less monitored than full domain admins even though they have relatively high privileges,” Preempt stated.

“Imagine a help desk technician with permissions to reset non-admin passwords but no other domain admin privileges. Because the MSOL account is generated under the Built-in Users container, and the Built-in Account Operators group (e.g. helpdesk team) has permissions to reset passwords for the Built-in Users container, this gives the account operator full de facto access to domain passwords, as well as other elevated privileges (e.g. Domain Admin),” a researcher wrote in a technical write up of the vulnerability.

“Now the stealthy admin can log into Azure AD Connect and reconfigure the account so everything would work properly and no one would ever notice the changes to the account,” Blachman said.   

What Does This Mean If I Have A Microsoft Azure AD Instance?

Luckily, Microsoft has not only acknowledge the issue but they have released Microsoft Security Advisory 4056318 and a PowerShell script. The script specifically addresses the modification abilities of Active Directory domain accounts and the modification of the AD DS Synchronization account ( MSOL ) itself.

That being said – Your Digital Mind cannot stress enough that your approach should be two fold.

First and of course the quickest – find and apply the MSA 4056318 and powershell script in your Microsoft Azure Active Directory Instance.

Secondly – go the old fashioned route, pour some coffee and manually go through your AD instance and check each and every account. I know that this sounds tedious and boring but if someone has compromised your account and they are truly being a ‘stealthy, rogue administrator’ this may be the only way you are ever going to be able to identify and remedy the issue before it gets worse.

Leave a Reply

Your email address will not be published. Required fields are marked *