Entra ID OAuth PRT Issuance to Non-Managed Device Detected
Detection of Entra ID OAuth Primary Refresh Token (PRT) issuance to a non-managed device following a refresh token sign-in via Microsoft Authentication Broker (MAB), potentially indicating device registration abuse (ROADtx) for persistent access.
This detection identifies a sequence of events that suggests an attacker has successfully registered a device using tools like ROADtx to gain persistent access to an Entra ID environment. The attack involves leveraging OAuth access tokens and Primary Refresh Tokens (PRTs) to bypass typical security controls. The initial access uses a refresh token, likely obtained through phishing or other credential compromise. Following this, a PRT is issued to a non-managed device. This allows the attacker to maintain access to Microsoft 365 resources, such as Outlook and SharePoint, without the device being subject to organizational policies or managed by Intune. This behavior is often associated with bypassing multi-factor authentication (MFA) and device compliance requirements. The detection focuses on identifying this transition from refresh token-based access to PRT-based access on unmanaged devices within a short timeframe (1 hour).
Attack Chain
- The attacker compromises user credentials through phishing or other means, obtaining a refresh token.
- The attacker uses the refresh token to authenticate via the Microsoft Authentication Broker (MAB) client from an unmanaged device, generating a sign-in log with
incoming_token_type: refreshToken. - The device registers with Azure AD, potentially using ROADtx or similar device registration tools, but remains unmanaged, indicating it is not compliant with organizational policies.
- A Primary Refresh Token (PRT) is issued to the attacker-controlled, unmanaged device.
- The attacker uses the PRT to authenticate to Microsoft 365 resources (excluding the Device Registration Service), generating a sign-in log with
incoming_token_type: primaryRefreshToken. - The attacker gains persistent access to Microsoft 365 applications such as Outlook or SharePoint, potentially exfiltrating data or performing other malicious activities.
- Conditional access policies are bypassed due to the valid PRT, even though the device is unmanaged, allowing the attacker to bypass MFA requirements.
Impact
Successful exploitation allows attackers to establish persistent access to Microsoft 365 resources, bypassing multi-factor authentication and device compliance policies. This can lead to data exfiltration, business email compromise (BEC), and other malicious activities. The impact is significant because it allows attackers to operate with the privileges of a legitimate user from a device that is not subject to organizational security controls. Affected sectors would include any organization using Microsoft 365 and Azure AD.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect the described sequence of events based on
azure.signinlogsdata. - Investigate any alerts generated by the Sigma rule, focusing on unmanaged devices and unusual authentication patterns.
- Review Conditional Access policies to ensure they effectively block access from non-compliant devices, referencing affected device IDs from
azure.signinlogs.properties.device_detail.device_id. - Revoke PRT sessions for compromised user accounts to prevent further unauthorized access via Microsoft Entra ID or Conditional Access.
- Audit device registration processes to identify and remove any unauthorized or suspicious device registrations as seen in
azure.signinlogs.properties.device_detail.trust_type.
Detection coverage 2
Entra ID - Refresh Token to PRT Transition From Unmanaged Device
mediumDetects a user signing in with a refresh token followed by a PRT from an unmanaged device within 1 hour, indicating potential ROADtx device registration abuse.
Entra ID - PRT Issuance to Non-Managed Device (No Refresh Token)
lowDetects PRT issuance directly to a non-managed device, which could indicate a more advanced device registration abuse technique.
Detection queries are available on the platform. Get full rules →