Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse

Severity

High

Detail

A new attack technique has been identified that allows threat actors to bypass Microsoft Entra ID (Azure AD) Conditional Access policies, undermining one of the core security controls used to protect cloud environments. The technique leverages weaknesses in device registration and token validation processes to gain unauthorized access without requiring malware or interaction with corporate endpoints.

By abusing these gaps, attackers can make unauthorized sessions appear as compliant and trusted devices, effectively bypassing policies that enforce device-based access restrictions. This issue poses significant risk to organizations relying heavily on Conditional Access and device compliance policies, potentially leading to unauthorized access, data exposure, and full tenant compromise.

How?

The attack begins with a valid set of user credentials, which may be obtained from credential leaks or underground markets. Even if these credentials are blocked by Conditional Access policies, attackers can exploit exposed Device Registration Service (DRS) endpoints. Using the device code authentication flow, attackers authenticate and register a phantom device without needing a legitimate Windows system. Due to insufficient validation, non-Windows devices can impersonate trusted endpoints.

Once registered, attackers generate a Primary Refresh Token (PRT) containing falsified device compliance claims. When exchanged for an access token, the system incorrectly treats the session as coming from a compliant device. To further bypass stricter controls, attackers can exploit gaps in Microsoft Intune by falsely claiming hybrid domain-joined status. This allows the rogue device to be marked as compliant even without essential security protections such as BitLocker or antivirus.

With access established, attackers can enumerate directories, access internal applications, and potentially escalate privileges—especially in environments where privileged accounts are synchronized from on-premises systems.

Recommendations

Organizations and administrators are strongly advised to implement the following security measures:

• Enforce Conditional Access policies to block device code authentication flows and require MFA for device registration
• Mandate TPM 2.0 attestation as a prerequisite for issuing Primary Refresh Tokens (PRTs)
•  Require external validation of device health rather than relying on self-reported compliance data
• Restrict Microsoft Graph API permissions to prevent bulk directory enumeration
•  Limit privileged directory roles to cloud-only accounts managed via Privileged Identity Management (PIM)

Conclusion

This attack demonstrates a critical gap in device trust and identity validation within cloud environments. By abusing weaknesses in device registration and token handling, attackers can bypass Conditional Access controls without deploying malware or compromising endpoints.

Organizations that rely heavily on device-based access policies must reassess their security posture, particularly around device trust enforcement, token issuance, and privileged access management. Strengthening these areas is essential to prevent unauthorized access and reduce the risk of full tenant compromise.

Source

https://cybersecuritynews.com/azure-ad-conditional-access-bypassed/