Frode Hus

Entra ID Conditional Access: Sign-in Frequency gotcha

Frode Hus -

The general idea of Sign-in Frequency condition in the Entra ID Conditional Access seems very appealing: When you have a scenario where a user wants to activate their PIM role, you want them to authenticate again to ensure this is not a replay attack or similar.

So, you set the CA policy to apply Every Time to verify that the proper access controls are in place but what? It does not actually request a new authentication - it just bypasses it and lets you in.

This is because the API that actually performs the PIM-action only verifies the following:

    "status": {
        "status": "InProgress",
        "subStatus": "Granted",
        "statusDetails": [
            {
                "key": "EligibilityRule",
                "value": "Grant"
            },
            {
                "key": "ExpirationRule",
                "value": "Grant"
            },
            {
                "key": "MfaRule",
                "value": "Grant"
            },
            {
                "key": "JustificationRule",
                "value": "Grant"
            },
            {
                "key": "ActivationDayRule",
                "value": "Grant"
            },
            {
                "key": "ApprovalRule",
                "value": "Grant"
            },
            {
                "key": "TicketingRule",
                "value": "Grant"
            },
            {
                "key": "AcrsRule",
                "value": "Grant"
            }
        ]
    },

It checks the access token - which is perfectly natural and in accordance with the OAuth2-protocol. It is stateless so we trust what is defined within the token.

If you already have a token that has the Acrs claim with the correct value in place, you will fulfill the AcrsRule check and can call the API directly to request the PIM operation.

The Acrs claim is actually tied to a Conditional Access Policy - it says that "at time of the request, perform the conditions defined in the policy - if fulfilled add the ACR value".

One thing that I keep running into is that there seems to be a way of thinking that the access controls in Entra are always enforced - but the reality is that once an access token is issued all the checks are done and Entra does not get involved anymore.

So, they should probably have checked the issued-time against the CA-policy before accepting the token.

This means, as long as you are in possession of a access token with the correct claims in place - the PIM API will not request you to re-authenticate even if the Conditional Access Policy says Sign-in Frequency: Every Time

In other words: If this token has been intercepted, the threat actor can perform PIM actions on behalf of the user - without barriers.

This is, in my opinion, because the API just accepts the token as previously described as truth which it should - but it does not validate versus Conditional Access Policies which is a umbrella designed by Microsoft.

I love the idea of this policy condition, but it needs to be enforced by the recipient application.