Cloud identity protection is supposed to be your strongest defense layer.
Microsoft Entra ID (formerly Azure AD) Conditional Access (CA) acts as a digital gatekeeper—validating logins based on location, device compliance, and risk signals before granting access.
But recent research has exposed a dangerous reality:
👉 Even strong Conditional Access policies can be bypassed—completely.
A red team engagement demonstrated how attackers can move from a single set of compromised credentials to full tenant access—without malware, without endpoints, and without triggering traditional defenses.
The Starting Point: Just One Set of Credentials
The attack begins with something surprisingly simple:
- A valid username and password
- Often sourced from phishing or credential marketplaces
- Costing as little as a few hundred dollars
In this case, even though the credentials were blocked by Conditional Access policies, attackers were still able to move forward.
👉 Key takeaway:
Blocked login ≠ protected environment
Step 1: Exploiting Device Registration Service (DRS)
The initial breakthrough came from targeting an overlooked endpoint:
👉 Azure AD Device Registration Service (DRS)
Using the device code authentication flow, attackers were able to:
- Authenticate outside standard login flows
- Bypass Conditional Access restrictions
- Establish an initial foothold
👉 This path is often left open in default configurations.
Step 2: Creating a Phantom Device
Next, attackers register a fake (phantom) device inside Azure AD.
Using a simple command, they:
- Register a device with Azure AD
- Generate a valid device certificate + private key
- Masquerade as a trusted endpoint
⚠️ Critical issue:
Azure AD does not verify whether the device is real
- A Linux device can pretend to be a Windows machine
- No hardware validation is enforced by default
👉 This means attackers can create trusted identities for non-existent devices
Step 3: Abusing Primary Refresh Tokens (PRT)
Once the phantom device is registered, attackers generate a:
👉 Primary Refresh Token (PRT)
But here’s the trick:
- The PRT includes fake device claims
- It tells Azure AD the session is coming from a trusted device
When exchanged for an access token:
✅ Azure AD treats the session as device-compliant
✅ Conditional Access policies are successfully bypassed
Step 4: Beating Device Compliance (Intune Bypass)
Some environments go further and require:
- Intune-compliant devices
- Device health validation
But even these controls were bypassed.
Attackers exploited a gap in Intune enrollment logic:
- Claimed hybrid domain-joined status
- Skipped strict validation
- Self-declared compliance
⚠️ Key flaw:
- Intune trusts self-reported device status
- Missing security checks are treated as “not applicable”, not failures
👉 Result: A completely fake device becomes:
✅ “Compliant”
✅ “Trusted”
✅ Fully authorized
Step 5: Full Access and Enumeration
With a valid token and a “trusted” device identity, attackers can:
- Access internal enterprise apps
- Enumerate users and directory data
- Download internal packages
- Map infrastructure and naming conventions
👉 At this stage, the environment is effectively exposed.
The Bigger Risk: Hybrid Identity Weakness
Beyond the device spoofing attack, researchers uncovered another serious issue:
👉 Overprivileged identity structures
Findings included:
- Hundreds of privileged roles
- Many inherited from on-premise Active Directory
- Cloud accounts dependent on legacy identity systems
⚠️ Why this matters:
If attackers compromise on-prem credentials, they can:
✅ Sync into cloud accounts
✅ Gain Global Admin access
✅ Take over the entire tenant
👉 No cloud exploit needed.
Why This Attack Is So Dangerous
This is not a typical breach.
It is effective because:
✅ No malware is required
✅ No endpoint compromise is needed
✅ No user interaction is required
✅ Works entirely within trusted identity flows
👉 It abuses trust—not vulnerabilities
What Security Teams Must Learn
1) Device trust is weaker than you think
If devices can self-register without validation, attackers can create fake trust.
2) Conditional Access is not bulletproof
CA policies rely on signals. If those signals are forged, protections fail.
3) Identity is the new attack surface
Modern attacks target:
- Tokens
- Device identity
- Authentication flows
Not just endpoints.
4) Default configurations are risky
Many of these attack paths exist because:
- Features are enabled by default
- Security policies are not strictly enforced
Key Mitigation Steps
To defend against this attack chain, organizations should:
✅ Lock down device registration
- Require MFA for device registration
- Disable device code flow where not needed
✅ Strengthen device trust validation
- Enforce TPM 2.0 attestation
- Validate hardware-backed identity
✅ Use external health verification
- Rely on trusted attestation services
- Avoid self-reported compliance
✅ Limit directory exposure
- Restrict Graph API access
- Prevent large-scale enumeration
✅ Reduce privileged accounts
- Avoid syncing privileged roles from on-prem
- Use cloud-only identities
- Enable Just-in-Time access controls
Common Misconceptions
❌ “We use Conditional Access, so we’re safe”
👉 CA can be bypassed if identity signals are manipulated
❌ “Device compliance guarantees security”
👉 It depends on how compliance is validated
❌ “Attackers need malware”
👉 Modern identity attacks are fileless and silent
FAQs
What is a phantom device?
A fake device registered in Azure AD that appears legitimate but doesn’t physically exist.
What is a PRT?
A Primary Refresh Token used to authenticate sessions and generate access tokens.
Why does this bypass Conditional Access?
Because Azure AD trusts device claims inside tokens—which attackers can forge.
Is this a real-world threat?
Yes. Similar techniques match known nation-state tradecraft.
Conclusion
This attack highlights a major shift in cybersecurity:
👉 Trust is the new vulnerability
Instead of breaking into systems, attackers:
- Create trusted identities
- Manipulate authentication flows
- Exploit weak validation logic
And once they’re “trusted,”
👉 they walk straight through your defenses.
