Bypassing Conditional Access in Azure AD: How a "Trusted Device" Becomes an Attack Vector

The Cyderes article examines an attack against Azure AD Conditional Access where an attacker, using only valid username and password credentials, can bypass security policies. The key vector involves spoofing or creating a "trusted device" through the device registration process, which allows the system to issue legitimate access tokens.

As a result, the attacker obtains a Primary Refresh Token and effectively becomes a "valid" user from Azure AD's perspective, bypassing MFA and access policies. The core issue lies in excessive trust in device identity and misconfigurations in Conditional Access and Intune, which leaves protections formally enabled but practically vulnerable.

📎 Article: https://www.cyderes.com/howler-cell/azure-ad-conditional-access-device-identity-abuse

💬 Discuss