Checking Conditional Access Policies in Azure: A Practical Guide

Listen to this Post

2025-02-15

Conditional Access Policies (CAPs) in Azure are critical for securing access to resources. However, checking these policies typically requires the `Policy.Read.All` permission, which is only available to highly privileged roles. Thanks to a technique shared by Dirk-jan Mollema in Roadrecon (Roadrecon GitHub), it’s now possible to enumerate these CAPs as a normal user. This guide will walk you through the process and provide practical commands to implement this in your environment.

Step-by-Step Guide

1. Install Roadrecon

Roadrecon is a tool for auditing Azure AD environments. You can install it using the following commands:

git clone https://github.com/dirkjanm/Roadrecon.git
cd Roadrecon
pip install -r requirements.txt

2. Enumerate Conditional Access Policies

Use Roadrecon to enumerate CAPs. The following command will export the policies to a CSV file:

python roadrecon.py auth -u <your-username> -p <your-password> --cap
python roadrecon.py gather
python roadrecon.py export --cap

3. Check for CAP Exclusions

After exporting, review the CSV file for CAPs with exclusions. These are potential targets for abuse.

4. Abuse CAP Exclusions with GraphRunner

If you find CAPs with exclusions, you can attempt to abuse them using GraphRunner. Here’s how:

python graphrunner.py --target <excluded-user> --cap <policy-id>

Practical Commands for Azure Security

  • List All Azure AD Roles
    az role definition list --query "[].{roleName:roleName, description:description}" --output table
    

  • Check User Permissions

    az role assignment list --assignee <user-principal-name> --output table
    

  • Audit Conditional Access Policies

    az ad policy list --query "[].{displayName:displayName, policyId:policyId}" --output table
    

What Undercode Say

Conditional Access Policies are a cornerstone of Azure security, but their complexity can lead to misconfigurations. By leveraging tools like Roadrecon and GraphRunner, even non-privileged users can audit and potentially exploit these policies. This highlights the importance of regular audits and least privilege principles in cloud environments.

For further reading, check out the official Microsoft documentation on Conditional Access Policies and the Roadrecon GitHub repository.

In Linux environments, you can use similar auditing techniques with tools like `auditd` to monitor access controls. For example:

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

This command monitors changes to the `/etc/passwd` file, which is critical for user management.

On Windows, you can use PowerShell to audit security policies:

Get-AzureADPolicy | Format-Table DisplayName, PolicyId

This command lists all Azure AD policies, similar to the Azure CLI command provided earlier.

By combining these tools and techniques, you can ensure a robust security posture across both cloud and on-premises environments. Always remember to follow ethical guidelines and obtain proper authorization before performing security audits.

References:

Hackers Feeds, Undercode AIFeatured Image