Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant or are unmanaged accounts outside of Azure AD. 

This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated. During the research for this talk, several flaws in the implementation were identified, which create novel ways to backdoor and hijack Azure AD accounts from a regular user. There were also ways identified to exploit these external identity links to elevate privileges, bypass Multi Factor Authentication and Conditional Access policies. All these attacks were possible in the default configuration of Azure AD. 

This talk gives insight into the external identities concepts, into the technicalities that allowed these attacks to exist, and into ways to harden against these attacks and detect abuse of these vulnerabilities.