Forum Discussion
Questioning Azure PIM Security: Can MFA Requirements Be Bypassed?
Hi everybody,
I recently came up with a scenario to test a use case in which a threat actor could potentially steal your Azure access token. With this token, the actor attempts to elevate privileges within the system by activating a highly privileged role (e.g., Owner) through Azure Privileged Identity Management (PIM).
In my current PIM configuration, I have set it to require multi-factor authentication (MFA) upon role activation. However, I've noticed that when I authenticate using the stolen access token from a non-trusted device, I am still able to activate the Owner role through PIM without being prompted for MFA.
This leads me to question the effectiveness of PIM, and more specifically, the "Require MFA on activation" setting. What security benefits does it provide if it can be bypassed in this manner?
Thank you for your insights,
John
I agree with Joe. Consider experimenting with the Microsoft Entra Conditional Access authentication context feature to compel users to employ more secure authentication methods such as FIDO2, or to mandate the use of a trusted device, if such measures aren't already in place for the initial login process.
- This isn't so much a problem with PIM as much as it is making sure you have configured strong authentication methods. Protect the token from adversary-in-the-middle with a FIDO2 key, Passkey, Certificate, or WH4B. There are two primary types of token theft: network based or device based. Evilginx2 is one of a handful of known methods of bypassing MFA, which in turn would bypass PIM if you have not yet setup strong authentication methods for your administrators.
If you are defending against malware lifting the token off the device itself, such as Mimikatz, then we recommend application control policies like AppLocker, WDAC, ASR, and Credential Guard, with a healthy dose of EDR.
Another recommendation is to require trusted devices for your administrators. In my lab, I found this prevents a stolen token from being replayed from unmanaged devices (which is what the attacker's device would be).
Resources: Token Theft Playbook Guidance: https://aka.ms/tokentheftplaybook
Configure Credential Guard:
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune
