Entra ID Master Key - Google Chrome extension

2024-02-20

Entra ID Master Key extension in action
Entra ID Master Key extension in action

Introduction

Microsoft Entra ID is a very powerful cloud based identity and access management solution developed by Microsoft, previously known as Azure Active Directory used by more than 30 000 companies.

Context

At November 2022 I wrote an article about Microsoft Active Directory - authorization bypass. Since that time, Microsoft updated the documentation and released the successor of Azure AD - the Microsoft Entra ID. If you read the documentation carefully you will notice that there is a note about the fact that Using the Restrict access to Microsoft Entra administration portal switch is NOT a security measure.

In simple terms that means that the swich is useless when it comes to effective user permission management. For example, if a regular user, WITHOUT any special role, decides to use CLI or PowerShell to retrieve data from Azure, he will be able to access a lot of information. Many organizations may consider this data to be sensitive or confidential (e.g.: user devices, operating system, company applications integrated with Azure and many more).

To overcome the need of CLI or PowerShell I decided to create a Google Chrome extension that would enable any user to access everything that is actually allowed.

Microsoft Entra ID functionalities

Going back to the Entra ID, we may notice that the core functionalities are same as they were on Azure AD. Meaning that the logic behind Azure portal's mechanisms to determine which views the user is allowed to see are the same. Having this in mind, I decided to intercept the request between the client (web browser) and Azure's portal to see if I can somehow trick the client to think that it has full privileges.

I found out that the client sends some requests to Microsoft API's to identify which level of permissions a user has. After that, a JavaScript is executed to process the response and determine whether the client should send more requests, to retrieve the data that the user wants to access, or if it stops the execution and display a "No Access" message.

Permission APIs

The requests that we are interested to intercept are coming from: ://graph.microsoft.com/, *://main.iam.ad.ext.azure.com/*. For permissions purpose we are only interested to intercept the following subset of URLS:

  • {URL}/beta/roleManagement/directory/estimateAccess
  • {URL}/api/Permissions
  • {URL}/api/Permissions?forceRefresh=false
  • {URL}/api/Permissions?forceRefresh=true

Once a request is intercepted, client's payload is analysed and for certain cases the response from the server is discarded and replaced with a JSON object that tricks the client to think that the user is an administrator.

Please note, that in reality the user only has the roles that existed before, there is no any vulnerability being exploited eighter. The user can ONLY access the information that is already available to through CLI, PowerShell or Graph API.

Client - Server (Entra ID) flow

Here is an example of a regular Client <---> Entra ID flow, without the extension

Browser communicating with Entra ID. The flow stops when "No access" message is received

Result of communication without extension

And here is an example of the same flow, but with the extension turned ON

Browser communicating with Entra ID. Even when server replies "No access", the flow continues, because the extension replaces original server response with a premade one

Result of communication with extension

As you can see on the images above, with the extension turned ON, you can access Entra ID with full permissions, just as if you would use CLI and PowerShell.

Installation

Option #1 - Install the extension from Chrome Store

Option #2 Clone Github repository

  1. Download the extension from Github. You can clone the repository to your computer or download a ZIP file from releases.
  2. Unzip the .zip file (if you downloaded it on the previous step)
  3. Open your Chromium based browser (Microsoft Edge, Google Chrome, Brave, Opera, Vivaldi, etc.) and open the "Extensions" tab
  4. Activate the "Developer mode" toggle (usually this option is located at the top or at the left side bar)
  5. Click on the "Load unpacked"
  6. Visit https://portal.azure.com, turn ON the extension, refresh the page and then enter the Entra ID service
  7. Have fun!

Installation steps illustrated

What do you get from Entra ID with this extension? (on cases when Entra ID is only "protected" with UI restriction)

  • Exactly same features/information that you can access through Graph API, CLI or PowerShell
  • List all groups that exist on the tenant
  • List all users and retrieve their information
  • List Application Registrations (names, URI, exposed APIs, roles, secret IDs, etc)
  • List Enterprise applications
  • List devices (name, operating system version, etc.)
  • Create new tenants (an active Azure subscription is required for this action. Depending on your organization settings, only Azure AD B2C tenants may be allowed)