Detections
Analytics
Federated Domains List
LOW
Description
A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. Organizations use federation to delegate authentication for Active Directory users to their on-premises Active Directory Federation Services (AD FS). (Note: the external domain is not an Active Directory "domain".) However, if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own federated domain or editing an existing one to add a secondary configuration with their own settings.
Backdoors set on federated domains rely upon a specifically forged token-signing certificate inserted into the configuration, set through either a primary or secondary token-signing certificate. When using common open-source attacker tools (like AADInternals with the ConvertTo-AADIntBackdoor cmdlet), some clues indicate that a suspicious event occurred.
In contrast to the "Known Federated Domain Backdoor" Indicator of Exposure (IoE), this IoE does not necessarily indicate backdoors created by an attacker. Instead, it provides a comprehensive list of all federated domains within your Entra ID tenant, allowing you to verify that the issuer URI for each domain matches the external identity provider (IdP) you have configured. Typically, this will be your on-premises AD FS server. The issuer URI represents the URL of the trusted federation server.
As Microsoft explains, the default issuer set for a domain federated to AD FS is http://<ADFSServiceFQDN>/adfs/services/trust. However, this value will differ if you are using a different federated identity provider.
The microsoft.directory/domains/allProperties/allTasks and microsoft.directory/domains/federation/update permissions grant administrators the ability to modify the federated domains. As of November 2023, the following built-in Microsoft Entra roles hold this permission in addition to potential custom roles:
Solution
Review the attributes of the federated domain to assess its legitimacy to validate that you created it intentionally with the specified configuration in your identity provider. Verify in particular attributes such as the issuer URI, and the issuer and subject attributes of both the primary and secondary token-signing certificates. If everything looks legitimate, you can ignore the federated domain through an exclusion.
Otherwise, if you discover attributes that do not correspond to a trusted federated identity provider (IdP) from your environment, this indicates a potential backdoor from an attacker. Initiate an incident response procedure with a forensic analysis to confirm the alleged attack, identify the origin and time of the attack, and assess the extent of the possible intrusion. Given the elevated privileges necessary for installing this type of backdoor (typically requiring the "Global Administrator" role, alongside lesser-known Entra roles), a potential full compromise of Entra ID is likely.
To view the list of federated domains in the Azure portal, navigate to the "Custom domain names" blade and look for those with a checkmark in the "Federated" column. The name of the potentially malicious domain matches the one flagged in the finding. However, unlike the MS Graph API, the Azure portal does not display the federation technical details.
Use PowerShell cmdlets from MS Graph API to list the domains with Get-MgDomain and their federation configuration with Get-MgDomainFederationConfiguration, as follows:
Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain -All | Where-Object { $_.AuthenticationType -eq "Federated" } | ForEach-Object { $_ ; Get-MgDomainFederationConfiguration -DomainId $_.Id }
After saving evidence for eventual forensic analysis:
- If the domain is illegitimate, remove it using
Remove-MgDomain. - If the domain is legitimate but the federation configuration is malicious, remove the federation configuration using
Remove-MgDomainFederationConfiguration.
You can follow this remediation guide from Microsoft "Emergency rotation of the AD FS certificates".
To confirm the operation, ensure that the reported finding from this Indicator of Exposure has been resolved and cleared.
Additionally, it's crucial to anticipate that the attacker may have established other persistence mechanisms, such as backdoors. Seek assistance from incident response experts to help identify and eliminate any additional threats.
Note that this type of attack abuses federation, a normal and legitimate feature of Microsoft Entra ID. To prevent future attacks, limit the number of administrators who can modify federation settings. This is a proactive measure, as an attacker would need elevated privileges to create such a backdoor. Review the vulnerability description for specific permissions and a list of roles.
Indicator Details
Name: Federated Domains List
Codename: FEDERATED-DOMAINS-LIST
Severity: Low