Unauthorized Conditional Access Policy Creation in Azure AD

This threat brief addresses the creation of a new Conditional Access (CA) policy within Azure Active Directory (Azure AD) by an actor not authorized to perform such actions. Conditional Access policies are critical security controls that enforce organizational policies based on various conditions, such as user identity, location, device, and application. Unauthorized modification or creation of these policies can lead to significant security breaches, allowing attackers to bypass security controls, escalate privileges, and gain unauthorized access to sensitive resources. This activity is detected via Azure Audit Logs.

Attack Chain

1. Initial Access: The attacker gains initial access to an account with sufficient privileges to interact with Azure AD, potentially through compromised credentials or an insider threat.
2. Privilege Escalation (If Needed): The attacker escalates privileges within Azure AD to a role that permits the creation or modification of Conditional Access policies.
3. Policy Creation: The attacker creates a new Conditional Access policy using the Azure portal, PowerShell, or Azure CLI.
4. Policy Configuration: The attacker configures the CA policy to weaken security controls, such as disabling MFA for specific users, locations, or applications.
5. Bypass Security Controls: The newly created or modified CA policy allows the attacker to bypass intended security controls, granting them unauthorized access.
6. Lateral Movement: With bypassed security controls, the attacker moves laterally within the network, accessing sensitive resources and data.
7. Data Exfiltration/Impact: The attacker achieves their final objective, such as exfiltrating sensitive data or causing disruption to business operations.

Impact

The creation of unauthorized Conditional Access policies can have severe consequences, including unauthorized access to sensitive data, privilege escalation, and circumvention of security controls. The impact can range from data breaches and financial loss to reputational damage and disruption of critical business services. If successful, attackers could gain complete control over the Azure AD environment, affecting all connected services and applications.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect unauthorized CA policy creation events in Azure Audit Logs.
• Review Azure AD role assignments to ensure least privilege and restrict CA policy management to authorized personnel only.
• Investigate any alerts generated by the Sigma rule to identify the actor and the details of the created CA policy.
• Implement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise.
• Monitor Azure AD audit logs for other suspicious activities, such as changes to user accounts, group memberships, and application registrations.
• Establish a baseline of expected CA policy configurations and alert on deviations from this baseline.