Entra ID ADRS Token Request by Microsoft Authentication Broker

This detection identifies potentially malicious activity within Microsoft Entra ID (Azure AD) involving the Microsoft Authentication Broker (MAB). Specifically, it focuses on OAuth 2.0 token requests where MAB (application ID 29d9ed98-a469-4536-ade2-f981bc1d605e) requests access to the Device Registration Service (DRS) (resource ID 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9) on behalf of a user. The presence of the adrs_access scope within the authentication processing details signals an attempt to interact with the ADRS (Azure Device Registration Service), an action not typically associated with standard user sign-ins. This behavior could indicate an attacker attempting to abuse device registration mechanisms to achieve persistence, such as acquiring a Primary Refresh Token (PRT) or establishing a trusted session. The Volexity report from April 2025 highlights similar OAuth workflow targeting.

Attack Chain

1. Attacker compromises user credentials through phishing or other means.
2. Attacker leverages the compromised credentials to initiate an OAuth 2.0 authentication flow.
3. The Microsoft Authentication Broker is used to request an access token.
4. The request targets the Device Registration Service (DRS) with resource ID 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9.
5. The OAuth scope includes adrs_access, indicating an attempt to access ADRS functionalities.
6. The request is made using a refresh token, suggesting an attempt to establish persistent access.
7. Successful token acquisition allows the attacker to manipulate device registration or acquire a Primary Refresh Token (PRT).
8. The attacker uses the PRT or device registration to maintain unauthorized access to resources.

Impact

Successful exploitation could allow an attacker to maintain persistent access to an organization’s cloud resources, even after a user changes their password or is removed from the organization. This can lead to data exfiltration, lateral movement, and further compromise of sensitive information. The number of potentially affected users depends on the scope of the initial compromise and the effectiveness of the attacker’s persistence mechanisms. This attack targets any organization using Microsoft Entra ID.

Recommendation

• Deploy the Sigma rule “Entra ID ADRS Token Request by Microsoft Authentication Broker” to your SIEM and tune it for your environment to detect suspicious ADRS access attempts.
• Investigate any alerts generated by the Sigma rule, focusing on the user principal and the origin of the request.
• Review Conditional Access policies to ensure they are sufficient to prevent unauthorized access to sensitive resources.
• Monitor Entra ID audit logs for device registrations or changes to user’s device registration status as suggested in the rule’s triage steps.
• Correlate with primary refresh token (PRTs) usage for the same user and/or session ID to identify any potential abuse, as mentioned in the rule’s triage.
• Consider adjusting the rule or adding exceptions for specific applications or user accounts that legitimately require access to the Device Registration Service, based on false positive analysis.