Stealthy Persistence: Microsoft Entra ID’s Administrative Units Exploited for Backdoor Access

In a recent report by Datadog Security Labs, a potential security risk has been uncovered within Microsoft Entra ID (formerly known as Azure Active Directory). This cloud-based identity and access management (IAM) solution, widely used by enterprises to manage user identities and permissions, features Administrative Units (AUs), which are intended to help streamline and restrict permissions management within large organizations. However, attackers can exploit these AUs to establish persistent, stealthy backdoor access to compromised environments, making it difficult for organizations to detect and eliminate malicious users.

What Are Administrative Units in Microsoft Entra ID?

Administrative Units (AUs) in Microsoft Entra ID allow administrators to delegate and restrict permissions to specific subsets of users, devices, or other objects within an organization. This granularity in access control is similar to how Organizational Units (OUs) are used in Active Directory, allowing admins to assign roles within a defined scope. However, Datadog's research highlights how attackers can misuse these same features to create “sticky” backdoor accounts and gain persistent, undetected access to the tenant.

The Exploit: How Attackers Abuse Administrative Units

Datadog Security Labs has identified two primary attack scenarios where AUs could be exploited:

Scenario 1: Sticky Backdoor Accounts

In this scenario, an attacker creates a backdoor account within a restricted management AU. These restricted AUs can be configured so that only specific administrators are allowed to modify user accounts within them. Even if an attacker’s initial access to the tenant is revoked, their backdoor account could remain untouched because tenant-wide administrators would not be able to modify or remove the account without first removing it from the AU. This provides attackers with persistent access, allowing them to regain control of the environment at any time.

Scenario 2: Covert Role Assignment

In a second, even more stealthy approach, attackers could use hidden membership AUs to hide the list of users assigned to specific roles. By doing so, they could grant powerful roles, such as Privileged Authentication Administrator, to their backdoor account without being detected. This role allows attackers to perform critical actions like resetting MFA methods, modifying passwords, and taking over key accounts, all while avoiding detection from most security analysts.

The Dangers of Persistent and Stealthy Attacks

By combining these two techniques, an attacker can maintain a backdoor account that is both invisible to most administrators and equipped with powerful permissions. These backdoor accounts could remain active for extended periods, enabling the attacker to make changes that go unnoticed by security teams. The consequences of such a persistent attack could be devastating, particularly in environments where sensitive data is handled or mission-critical systems are managed.

The Role of AUs in Cloud Management

Microsoft Entra ID’s AUs are widely used by large enterprises and organizations to manage cloud-based identities across complex environments. The ability to delegate and restrict access is crucial for managing large-scale user bases and ensuring security. However, AUs can also be misused to conceal malicious activity, as attackers can exploit the granular controls and hidden membership features to their advantage.

• Large organizations: Use AUs to assign administrative roles based on departments, regions, or teams, making permissions management more efficient.
• IT administrators: Use AUs to restrict roles within certain scopes, ensuring that only specific people or teams have access to sensitive areas.
• Security teams: Rely on AUs to control and monitor access but must now be aware of how attackers might manipulate these features for stealthy backdoor access.

Datadog’s Research and Findings

Datadog Security Labs discovered that restricted management AUs and hidden membership AUs can be combined to create backdoor accounts with long-lasting persistence. These features, while intended to enhance security and organizational management, can be misused in malicious hands.

The research demonstrated how attackers could:

• Set up backdoor accounts that are resistant to removal by tenant-wide administrators.
• Assign powerful administrative roles to these hidden backdoor accounts, allowing attackers to make critical changes like resetting MFA methods or stealing administrator credentials.
• Conceal these actions from security analysts by using hidden membership AUs, which hide role assignments from most administrators.

Safeguards and Best Practices

While Microsoft Entra ID and its Administrative Units offer powerful tools for managing large cloud environments, organizations must implement safeguards to prevent their misuse. To mitigate the risks associated with this attack vector, security teams should:

1. Monitor AU Activity: Regularly audit and monitor administrative units for unusual changes or suspicious account activity.
2. Review Role Assignments: Ensure that role assignments, especially for sensitive roles like Privileged Authentication Administrator, are thoroughly reviewed.
3. Implement MFA and Conditional Access Policies: Enforce multi-factor authentication (MFA) for all administrators and users with privileged roles, and consider using conditional access policies to limit access based on specific conditions, such as device compliance.
4. Automate Auditing: Use automated tools to flag hidden or suspicious roles within AUs and investigate any anomalies.
5. Training and Awareness: Ensure that security teams and IT administrators are aware of the potential for misuse of AUs and are trained to detect signs of backdoor accounts.

The findings from Datadog Security Labs reveal a significant risk within Microsoft Entra ID's Administrative Units feature, highlighting how attackers can establish persistent backdoor access and conceal their activities. Organizations using Microsoft’s identity management platform should take immediate steps to implement safeguards and enhance monitoring to detect and respond to any suspicious use of AUs. Failure to address these risks could leave organizations vulnerable to long-term, stealthy attacks that compromise their entire cloud infrastructure.