Develop Reference

Recreating Malicious login in Azure AD

We had a user's creds exposed and a threat actor used them to successfully log in to Azure CLI with the user's creds.
We've since resolved the access issue using conditional access and our MFA (which admittedly was a hole).
I'm trying to recreate the method of attack though and I can't seem to get it right.
Here is the activity details for the malicious sign-in:
Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Windows Azure Service Management API
Resource ID
797f4846-ba00-4fd7-ba43-dac1f8f63013
Resource tenant ID
LEft out
Home tenant ID
Left out
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
d2b4c9e3-9a2a-4360-8ba4-6ece086335c5
Unique token identifier
Left Out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
90ms
Flagged for review
No
User agent
Looks like they used ROPC detailed here https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
I've tried emulating it through Azure CLI directly but it doesn't report back "ROPC" as authentication. So they are definitely calling through ROPC.
Then I tried emulating it with my creds in Postman and I get almost the same result as above in the sign-in log:
Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000
Resource tenant ID
Left out
Home tenant ID
Left out
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
e10569b0-24e4-4495-9d9b-698b01290eae
Unique token identifier
Left out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
108ms
Flagged for review
No
User agent
PostmanRuntime/7.30.0
As you can see it's very similar, but mine is reporting "Microsoft Graph" while the malicious entry reports Windows Azure Service Management API.
Can someone point me in the right direction?

Windows Azure Service Management API refers to the Azure Resource management API.
I tried checking Sign in Logs and the Service Principal Sign In’ Logs has Windows Azure Service Management API refer here :-
Note- The above sign in log is of the Service principal sign in with
Client credentials flow. You can find that Service principal by
copying its Application ID and pasting it in app registrations page or
enterprise application page of Azure AD.
I tried to log in to Azure with service principal named Powershell with ROPC Flow via Postman
Received Access token like below :-
Called Graph API
Got resource as Microsoft Graph in Sign in Logs similar to you:-
Now, I tried calling Azure Resource management API to get list of Azure resources from my account with the same Flow and got the Resource set to Windows Azure Service Management API like below :-
Added Azure Service Management API permissions:
Now, I changed the scope to https://management.azure.com/default like below:
Fetch the access token from above call and ran below query to get list of resources:
When I checked sign in logs now, it’s showing ROPC with Windows Azure Service Management API resource like below:

Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue

I have had been struggling to make my Azure Active Directory Oauth 2.0 Client Credentials Flow work with API Management. but I get authenticated via postman too. But in return I do not get any access token just a bunch of HTML. How can I fix this? The settings of the applications are exactly as per the documents including the validation of JWT Policy.
Basically I want my client apps to connect with my azure API's using Oauth 2.o without any consent using provided client id/secret. I'm trying to set this up for now with ECHO API provided out of the box with API Management console.
thanks
Postman Access token Error Screen

To use application permissions with your own API (as opposed to Microsoft Graph), you must first expose the API by defining scopes in the API's app registration in the Azure portal. Then, configure access to the API by selecting those permissions in your client application's app registration. If you haven't exposed any scopes in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.
For an example, if I sent scope parameter with custom name like https://testwebapp.in/.default without configuring same as application ID URI in Azure AD then is an expected behavior and you will get error AADSTS500011.
scope parameter in the request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#application-permissions

Azure API Management + Azure Function and managed identity

I'm trying to call an Azure function from an API Management instance by using Managed Identity.
I have set a System Managed Identity to my APIM instance.
I have granted the Contributor role to this identity on the Azure Function App.
I have also change the App Service Authentication to AD.
Now I'm trying to call the function from an API.
I have two issues:
First One: when I use the authentication-managed-identity policy to get a token, I got an error when I use the audience https://myfunctionapp.azurewebsites.net. AD tells me that this app is not registered in the tenant
Second: If I retrieve a token for https://management.azure.com, I got a token but I received a 401 Unauthorized error from the Azure Function.
Maybe I'm just trying to get a token on the wrong audience, but unfortunately the audience of functions is not listed in the document (for service bus for example, there is a common URI to use, also for KeyVault, ...).
I think that I probably missed something in the picture...
Thanks.

You need to use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service.
https://learn.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity
EDIT
1-In your APIM application on Azure AD,
grab the Application ID assigned for enterprise application.
2-Then go to Platform features in your Azure Function App, and click on Authentication / Authorization.
3-Select Azure Active Directory as the authentication provider, and the management mode "express".
4-Back to authentication-managed-identity policy, set the Application ID from step 1 as the resource.

you need to add the url in apim required resource. If you're planning to use delegated flow. To check if the issue is with the url registration you can use the AppId instead. This will at least tell you if the token can be retrieved.

Credentials prompt for access to Azure management APIs

I've been using the Azure fluent management APIs (https://github.com/Azure/azure-libraries-for-net) with some success in .NET Core.
However, I want to prompt the user to enter some credentials for a Microsoft account. Those credentials would have access to one or more Azure tenants / subscriptions, so I'd like to be able to use the result to browse and manage resources there.
This is something very close to what I would believe Azure Data Studio does: you can enter some Azure creds, and your resources will appear in the app.
I'm trying to understand the best approach for this. There seem to be a billion sites out there when you talk about Azure AD app registrations, but I haven't found a fruitful specific search query yet. I know I can register an app, get a client ID and client secret. I know I can set it to be usable by organisational accounts in the current tenant, or all tenants.
I can add the "Azure Service Management (delegated permissions : user_impersonation)" permission to my API permissions section for the app, but what's next?
If I use Microsoft.Identity.Client (as in https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon), I run into some questions:
AcquireTokenForClientAsync doesn't prompt the user - I guess because it's getting a token for the app to act with its own permissions?
AcquireTokenOnBehalfOfAsync wants a JWT.. great! I'll pass the one I got from AcquireTokenForClientAsync! Nope, AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint.
I don't know what scope I want. https://management.azure.com/user_impersonation is apparently invalid.. https://management.azure.com/.default works, but is that right? It's a guess, combo of the former and a .default suffix I found for Graph API scopes online. Any docs on this?
I ultimately get a JWT and tenant ID back. I can't find a way to use a JWT with the Fluent management APIs.. and my account (for instance) is associated with 3 tenants or 5 different tenants / directories - so how do I choose?
That's just what I've tried, the appropriate route might be a different one. In summary: I want a .NET Core Console app to request user credentials, and then get access to the Azure resources they have access to, in order to perform some resource management.

AcquireTokenForClientAsync doesn't prompt the user - I guess because it's getting a token for the app to act with its own permissions?
You are using the OAuth 2.0 client credentials grant to access web-hosted resources by using the identity of an application. This type of grant commonly is used for server-to-server interactions that must run in the background, without immediate interaction with a user .
AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint.
Azure AD provide two service : Azure AD V1.0 and Azure AD V2.0 . Please refer to Comparing the Azure AD v2.0 endpoint with the v1.0 endpoint . You can't use v1 token to acquire v2's token in a on-behalf-of flow .
AcquireTokenOnBehalfOfAsync wants a JWT.. great! I'll pass the one I got from AcquireTokenForClientAsync
AS pointed above , That function is used to acquire an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. So you can't use app token which acquire using Client Credential flow .
https://management.azure.com/.default works, but is that right? It's a guess, combo of the former and a .default suffix I found for Graph API scopes online. Any docs on this?
You are using the Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow , when sending a POST request to the /token v2.0 endpoint ,the scope should be :
The value passed for the scope parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value informs the v2.0 endpoint that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use.
Please check the Get a tokensection in above document .
I ultimately get a JWT and tenant ID back. I can't find a way to use a JWT with the Fluent management APIs..
AFAIK , currently Azure AD V2.0 apps can use:
Its own API
Microsoft Outlook APIs
Microsoft Graph API
Azure AD V2.0 currently doesn't support Azure management APIs .
So you problem is you need to allows work and school accounts from Azure AD and personal Microsoft accounts (MSA) which works with Azure AD V2.0 , but you can't use Azure management APIs . You can use Azure management APIs in Azure AD V1.0 but it allows only work and school accounts to sign in to your application , unless you invite Microsoft accounts as guest user in Azure AD V1.0 ,but you need to configure to point to the tenant-specific endpoint :https://login.microsoftonline.com/{TenantId_or_Name}). during authentication if you want to login with MSA in v1.0 apps.
Update:
You can use Code flow and azure ad v1.0 endpoint , user will be redirect to AAD's login page and enter their credential. Here is code sample for .net Core .
With Azure AD V1.0 endpoint , requests are sent to an endpoint that multiplexes across all Azure AD tenants: https://login.microsoftonline.com/common . When Azure AD receives a request on the /common endpoint, it signs the user in and, as a consequence, discovers which tenant the user is from. See document here . But in this scenerio ,you can only use work and school accounts(AAD) account to login .
The code sample in your link is using Azure Service Principal for Authentication , no interactive user login . You can use OpenID Connect Owin Middleware for authentication in .net Core applications as shown here .

What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification

I'm trying to invoke an authentication process with a windows Azure AD tenant application using oAuth 2.0 by using curl. But I couldn't figure out what is the parameter "resource' in below sample code:
curl -X POST https://login.windows.net/<<YOUR--AD-TENANT-ID>>/oauth2/token \
-F redirect_uri=http://google.com \
-F grant_type=authorization_code \
**-F resource=https://management.core.windows.net/ \**
-F client_id=87a544fd-... \
-F code=AwABAAAAvPM1...8sSAA

Resource parameter depicts the identifier of the WebAPI that your client wants to access on behalf of the user. Most flows in OAuth involve 4 parties, the resource owner (aka user), the client (aka app), the authority (aka identity provider) and the resource (aka webapi). The audience of the access token that the authority generates is the resource identifier.
In the case of Azure AD you can either use the Client ID or the App ID URI of the resource WebAPI (Find them in the configure tab of the Azure AD application in the Azure Management portal). For instance, if I want my client to get a token to access the Azure AD Graph API on behalf of the user, I would request for a token for resource "https://graph.windows.net". In your example, the resource parameter value identifies the Azure Service Management APIs.
Here are some code samples of Client Apps using Azure AD SDKs to request for tokens to WebAPIs - different usages of the resource parameter:
Mobile apps calling WebAPI: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx#BKMK_Native
Web apps calling WebAPI: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx#BKMK_AppToAPI
Clients calling Graph API: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx#BKMK_Graph
Hope this helps.

In simple words resource parameter contain the URI of the Web API resource, you want to access.
OAuth protocol follows the Token based access to the resources. Parameter "resource" helps to distinguish between tokens for different WEB API.
For example if you want to access GRAPH API- then resource will be- "https://graph.windows.net/"
If you want to access AZURE, The resource parameter must specified as- "http://management.azure.com".
It is recommended to use this parameter, Although it is not compulsory.