Entra ID Domain Federation Configuration Change
Adversaries with Global Administrator or Domain Administrator privileges may add a custom domain, verify ownership, and configure it to federate authentication with an attacker-controlled identity provider, allowing token forgery and bypassing MFA and conditional access policies for persistent, stealthy access to victim tenants.
This threat brief focuses on the detection of malicious domain federation modifications within Microsoft Entra ID tenants. Attackers who have obtained Global Administrator or Domain Administrator privileges can exploit this functionality to establish persistent access. This involves adding a custom domain, verifying its ownership, and then configuring it to federate authentication with an identity provider controlled by the attacker. Once successfully federated, the attacker can forge SAML or WS-Federation tokens. This enables them to authenticate as any user within the compromised domain, effectively bypassing multi-factor authentication (MFA) and conditional access policies. This technique, known as Golden SAML, has been observed in campaigns such as the SolarWinds attack attributed to UNC2452 (APT29). Defenders must monitor for unauthorized domain federation activities to prevent persistent compromise.
Attack Chain
- Initial Compromise: The attacker gains initial access and escalates privileges to either Global Administrator or Domain Administrator within the Entra ID tenant.
- Add Unverified Domain: The attacker adds a custom domain to the Entra ID tenant using the Microsoft Graph API, which is initially in an unverified state.
- Verify Domain Ownership: The attacker verifies ownership of the newly added domain, often by adding a DNS TXT record.
- Set Domain Authentication: The attacker sets the domain authentication type to federated using the
Set domain authenticationaction. This action initiates the domain federation process. - Set Federation Settings: The attacker configures federation settings on the domain, pointing to an attacker-controlled identity provider (IdP). The
Set federation settings on domainevent will correlate to the "Set domain authentication" via thecorrelation_idfield. - Token Forgery: The attacker forges SAML or WS-Federation tokens using the attacker-controlled IdP to impersonate any user within the federated domain.
- Access Resources: The attacker uses the forged tokens to authenticate to various resources within the Entra ID tenant, bypassing MFA and conditional access policies.
- Persistent Access: The attacker maintains persistent access to the Entra ID tenant by continuously generating valid tokens as needed, allowing them to conduct reconnaissance, exfiltrate data, or perform other malicious activities.
Impact
Successful exploitation of domain federation vulnerabilities can lead to a complete compromise of the Entra ID tenant. Attackers can gain unauthorized access to sensitive data, applications, and resources. The SolarWinds attack demonstrated the potential for widespread supply chain compromise and data exfiltration. The lack of visibility into token forgery makes this attack particularly stealthy and difficult to detect. If successful, attackers can maintain persistent access for extended periods, causing significant financial and reputational damage.
Recommendation
- Deploy the Sigma rule "Entra ID Domain Federation Configuration Change" to your SIEM and tune for your environment to detect unauthorized domain federation changes.
- Enable Azure integration with Microsoft Entra ID Audit Logs data stream and ingest into your Elastic Stack deployment as required by the Sigma rule.
- Review and restrict who has Domain Administrator or Global Administrator roles using Privileged Identity Management (PIM) as mentioned in the rule documentation.
- Implement alerts on domain management operations and restrict domain federation changes via conditional access policies as mentioned in the rule documentation.
- If unauthorized domain federation changes are detected, follow the response and remediation steps outlined in the rule documentation, including removing the federation configuration and revoking active sessions.
- Query the Graph API to retrieve the actual federation configuration details, since they are not logged in the audit event:
Get-MgDomainFederationConfiguration -DomainId "<domain>".
Detection coverage 3
Entra ID Domain Federation Configuration Change
highDetects when domain federation settings are configured or modified in an Entra ID tenant via the Microsoft Graph API.
Entra ID Domain Added
mediumDetects when a new domain is added to Entra ID which can be a precursor to domain federation attacks.
Entra ID Domain Verification
mediumDetects when a domain is verified in Entra ID which often follows the addition of an unverified domain in preparation for domain federation attacks.
Detection queries are available on the platform. Get full rules →