Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Bearer token
  • Conditional Access and tokens
  • User identity & workload identity
  • Continuous Access Evaluation (CAE)
  1. Cloud
  2. Azure
  3. Architecture

Entra ID - Authentication with OAuth and API's

PreviousEntra ID rolesNextConsent and Permissions

Last updated 3 months ago

Microsoft Entra ID uses OAuth (2.0) for authentication. An application (Oauth client - web app) can sign in to the Authorization server, get bearer tokens to access Resource Server (Microsoft Graph and other APIs).

This flow is better described in the following diagram:

Bearer token

A very important factor is the Bearer token. This is also a access token. These are JSON Web tokens. a bearer token, as the name suggests, grants the bearer access to a protected resource. There are three types of tokens used in OIDC:

  1. Access tokens: The client presents this token to the resource server to access resources. It can be used only for a specific combination of user, client, and resource and cannot be revoked until expiry - that is 1 hour by default.

  2. ID tokens: The client receives this token from the authorization server. It contains basic information about the user. It is bound to a specific combination of user and client.

  3. Refresh tokens: Provided to the client with access token. Used to get new access and ID tokens. It is bound to a specific combination of user and client and can be revoked. Default expiry is 90 days for inactive refresh tokens and no expiry for active tokens.

When using Access Tokens to access resources there are no logs, if you use a refresh token there will be logs.

Conditional Access and tokens

Conditional access is only in place when authenticating to Entra ID. This means that when using a access token, you will not be effected by conditional access.

User identity & workload identity

User identities represent human users who access resources within or via the Microsoft Entra ID environment. These identities are typically tied to individual people. Workload identities represent applications or services (e.g., virtual machines, containers, or serverless functions) rather than human users. These identities allow workloads to securely access Azure resources or other external services.

To protect workload identities (enterprise applications) with conditional access, you will need a premium subscriptions e.g. 15 dollars a month per application.

In general, to be opsec, try to avoid user identities and instead use workload identities

Continuous Access Evaluation (CAE)

Exists to invalidate tokens before their expiry time (default 1 hour). It is a defense mechanism by Microsoft to protect against attacks.

CAE steps in when a access token is used outside a trusted location. For example, if a conditional access policy is defined to restrict access to the ip 12.33.44.55, but a access token is used there, CAE steps in and invalidated the token. Country-based locations are not supported.

It is invalidated AFTER the first use, so it is still possible to use the access token once

☁️