Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications

What would happen if I simply logged in to this internal Microsoft application with my own Microsoft account? Surely that would not work, right? As it turns out, that depends…

In this talk, I will take a deep dive into the complexities of implementing OAuth using Microsoft Entra ID and discover that the difference between Authentication and Authorization is still hard to grasp.

But who is at fault? There is sometimes a shared responsibility for implementing both. Then we have an “Open Authorization” standard that can be used for only authentication. Most code examples omit the most critical checks. And finally, Microsoft writes about a fix that “prevents the issue completely”. Can we still blame the app developers?

I will present a common critical misconfiguration that looks so simple, yet has been completely overlooked until now. It allowed me to access over 20 internal Microsoft Applications, exposing sensitive data, letting me administer Copilot, build my own version of Windows, approve my own bounty payouts and much more.

By: Vaisha Bernard | Chief Hacker, Eye Security

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/?#consent–compromise-abusing-entra-oauth-for-fun-and-access-to-internal-microsoft-applications-45128Black HatRead More