How the Bypass Works
Microsoft Entra Conditional Access Policies (CAPs) are a core security control for Azure and Microsoft 365 tenants, enforcing multi-factor authentication, device compliance, and location restrictions. Researchers at NetSPI discovered that under specific conditions, attackers can obtain Microsoft Graph access tokens while completely bypassing CAP evaluation.
The vulnerability exists in Microsoft’s custom OAuth implementation for Single Sign-On, specifically how refresh tokens are reused between trusted first-party applications. Nested App Authentication (NAA) allows host applications like the Azure Portal to act as authentication brokers, silently exchanging cached refresh tokens for access tokens scoped to child applications without user interaction. When the NAA flow was used with the ADIbizaUX client and other Intune portal extensions, Conditional Access policies were not evaluated, and access tokens were issued freely.
Impact and Scope
An attacker would first need to steal an Azure Portal refresh token, through phishing or adversary-in-the-middle attacks targeting login.microsoftonline.com. The token has a fixed 24-hour lifetime and is non-renewable, which limits long-term persistence but still provides a meaningful window for post-compromise abuse within a tenant.
NetSPI reported the issue to the Microsoft Security Response Center, which classified it as a medium-severity vulnerability. Microsoft has deployed a fix, and retesting confirms that affected NAA flows now correctly return Conditional Access blocking errors. This disclosure demonstrates how deviations from standard OAuth behavior, even when intended to improve usability and SSO, can create subtle but high-impact authorization weaknesses in cloud identity platforms.
Source: Cyber Security News
