Federation Signing Certificates Mismatch

A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. Organizations use federation to delegate authentication for Active Directory users to their on-premises Active Directory Federation Services (AD FS). (Note: the external domain is not an Active Directory "domain".) However, if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own malicious secondary token-signing certificate to the legitimate federation configuration with their own settings. This attack would enable the following actions:

• Impersonation: The malicious secondary token-signing certificate can generate tokens to allow an attacker to authenticate as any Microsoft Entra user without knowing or resetting their password. This includes "cloud-only" users (not hybrid) and external users. This allows attacks on Microsoft Entra ID, Microsoft 365 (O365), and other applications that rely on Microsoft Entra ID as an Identity Provider (SSO), even if you enforce MFA (see below).
• Privilege escalation: The attacker can impersonate any user, particularly privileged Microsoft Entra users.
• Multi-Factor Authentication bypass: With federated authentication, the trusted external domain takes on the role of enforcing MFA. The malicious secondary token-signing certificate can then falsely assert that the spoofed authentication used MFA, which Microsoft Entra ID trusts and does not prompt again for MFA. This allows the attacker to impersonate all users even if there is MFA protection.
• Persistence: Adding a malicious secondary token-signing certificate to an existing federated domain is a stealth technique that allows attackers who compromised the Microsoft Entra tenant and appropriated high privileges to regain access later.

This Indicator of Exposure detects any mismatch in the Subject or Issuer attributes between the primary and secondary token-signing certificates (if present), as this could indicate that the secondary token-signing certificate is illegitimate and potentially malicious.

Also, refer to the related Indicator of Exposure "Known Federated Domain Backdoor".

The federation protocol used to transmit the authentication proof from the compromised federated domain to the targeted Microsoft Entra ID can be either WS-Federation or SAML. When using SAML, the attack resembles a "Golden SAML" attack, with these key differences:

• Instead of stealing the legitimate SAML signing key of an existing federation, the attackers inject their secondary signing certificate with their own key.
• Attackers present the forged token to the federation service to gain unauthorized access to multiple systems, rather than presenting it to a specific service.

The microsoft.directory/domains/allProperties/allTasks and microsoft.directory/domains/federation/update permissions grants administrators the ability to modify the federated domains. As of November 2023, the following built-in Microsoft Entra roles hold this permission in addition to potential custom roles:

• "Domain Name Administrator"
• "External Identity Provider Administrator"
• "Hybrid Identity Administrator"
• "Global Administrator"
• "Partner Tier2 Support"
• "Security Administrator"

The APT29 threat group abused this method in the infamous December 2020 attack against SolarWinds called "Solorigate", as documented by Microsoft and by Mandiant. This technique is also documented in several articles: "Security vulnerability in Azure AD & Office 365 identity federation", "How to create a backdoor to Azure AD - part 1: Identity federation", and "Deep-dive to Azure Active Directory Identity Federation".

This finding indicates a potential backdoor from an attacker.

To start, examine the secondary token-signing certificate and pay close attention to any reported attribute(s) that do not match the primary certificate. Verify the legitimacy of these attributes within your organization. Seek confirmation from your Entra ID administrators regarding any modifications made to the federation configuration of the reported domain that includes this secondary certificate.

A secondary token-signing certificate is commonly used to rotate the primary certificate nearing its expiration. It only becomes a security issue if it's clearly malicious or unrecognized by administrators, which makes it potentially malicious. In such cases, initiate an incident response procedure with forensic analysis to confirm the alleged attack, identify the origin and time of the attack, and assess the extent of the possible intrusion.

To view the list of federated domains in the Azure portal, navigate to the "Custom domain names" blade and look for those with a checkmark in the "Federated" column. The name of the potentially malicious domain matches the one flagged in the finding. However, unlike the MS Graph API, the Azure portal does not display the federation technical details.

Use PowerShell cmdlets from MS Graph API to list the domains with Get-MgDomain and their federation configuration with Get-MgDomainFederationConfiguration, as follows:

Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain -All | Where-Object { $_.AuthenticationType -eq "Federated" } | ForEach-Object { $_ ; Get-MgDomainFederationConfiguration -DomainId $_.Id }

After saving evidence for forensic analysis, it's advisable to remove the malicious secondary token-signing certificate. Because Microsoft doesn't offer a direct method to remove this particular certificate from the federation configuration, it is easiest to disable the domain federation or remove the affected domain entirely to clear its federation configuration and then re-enable it. But be cautious of the timing, as users relying on this federated domain cannot authenticate during this process. If you configured federation using Microsoft Entra Connect, use it to perform this operation. If done manually, use Update-MgDomainFederationConfiguration and the same method used initially to reset it up. You can follow this remediation guide from Microsoft "Emergency rotation of the AD FS certificates".

To confirm the operation, ensure that the reported finding from this Indicator of Exposure has cleared. Additionally, it is important to anticipate that the attacker may have set up other persistence mechanisms such as backdoors. Seek assistance from incident response experts to help identify and eliminate these additional threats.

Note that this type of attack abuses federation which is a normal and legitimate feature of Microsoft Entra ID. To prevent future attacks, limit the number of administrators who can modify federation settings. This is a proactive measure since an attacker must have high privileges to create such a backdoor. Check the vulnerability description for specific permissions and a list of roles.

Name: Federation Signing Certificates Mismatch

Codename: FEDERATION-SIGNING-CERTIFICATES-MISMATCH

Severity: High

Type: Microsoft Entra ID Indicator of Exposure