Unintentionally Exposing Your Organization to MFA bypasses on Azure Active Directory
Some organizations may believe that they are enforcing a second authorization factor when using Microsoft Single-Sign On on Azure Active Directory, but their configuration might have an easy way to bypass it.
When configuring Conditional Access policies to enforce multi-factor authentication mechanisms specific device platforms can be either “Included” or “Excluded” as part of the policy. It is then possible to have a policy such as the following:
- Device platforms
- Configure: [yes] / no
- Include
- [ ] Any device
- [*] Select device platforms
- [x] Android
- [x] iOS
- [x] Windows Phone
- [x] Windows
- [x] macOS
- Exclude
- (...)
Can you spot anything wrong with that?
By allowing users to create a policy based on the target platforms it will apply to, one could easily check all the boxes thinking “this policy is applied to all platforms, we are secure now” and never look back.
However, such a policy would only enforce MFA on those and nothing else; browsing to an SSO-enabled application from Linux would happily let you in with just a username and a password. As a matter of fact, you don’t even need to browse from an actual Linux box (or other unlisted platform like a Chromebook), just replace your User-Agent with:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
We believe this to be a bad design choice that may inadvertently lead to undesired loopholes. If you are trying to enforce multi-factor authentication on your organization (regardless of the device where users are attempting to sign in from), the “Any device” box should be checked instead.