Conditional Access

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

Findings flaws

Conditional access management can be very hard. Now that Microsoft is enforcing MFA since 2025, a lot of exceptions are being made in conditional access. This allows attackers to match/bypass a policy and still get access. Also, some conditional access policies like OS or location can be matched by just modifying the user-agent header or changing to a "safe" country by VPN.

Access tokens

When you get an access token, you are not authenticating anymore. So this always bypasses conditional access. However, CAE could still be an problem.

Device platforms

Check by modifying the user-agent header if you can login.

Location

Location can be GEO-based and IP-based. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network. A lot of times, the company WAN address(es) is included as a safe location. So if you manage to compromise a system within that internal network, or a application with for example a managed identity, try to authenticate through that system/application.

Get conditional access policies

roadrecon plugin policies

This will write all conditional acccess information to a .html file

Last updated