Uncategorized

Highly experimental – Bypassing trusted Device requirements for Azure CLI in restricted environments where API’s are only available for browser sessions

julkaissut Joosua Santasalo
Comments 0

Some environments require trusted device to access API’s on mobile and desktop clients (which AZ CLI is categorized as) – In such situations you can try to work around restrictions, (when browser clients can access Azure management via browser session)

Tool repo here https://github.com/jsa2/EAST

Operation principle of the tool

Used for Azure Security scanning by https://github.com/jsa2/EAST#extensible-azure-security-tool

Uses API https://portal.azure.com/api/DelegationToken to replace the tokens in msal_token_cache.json Azure CLI for Azure security scans in restricted environments.

CA PolicyRequires trusted deviceMFA
mobile apps and desktop clients
Browser

Disclaimer

⚠️ This tool is only meant for Security research and pre agreed scanning of Azure environments, where otherwise heavy restrictions prohibit Azure CLI use in mobile apps and desktop clients.

  • This tool does not work, if there is no browser use available without trusted device.

⚠️ This is not a hack, it bypassess Conditional Access Device requirements only when API’s has intentional, or non-intentional gaps which allow accessing Azure management Portal via MFA.

User not being able to Azure-CLI sign-in due to compliant device needed

image

Example policies

Policy that requires Compliant Device for mobile apps and desktop clients

image

Sign-in event example for trusted device

Setup

Prerequisites

  • Azure Cloud Shell Bash (or WSL/Linux bash)
  • Azure CLI installed
  • MSAL cache needs to be located at ~/.azure/msal_token_cache.json
  1. Run az account clear to ensure no previous sessions exist
  2. Do not run Az Login unless you need to confirm, that Conditional Access is blocking your particular use case

Start

touch sh/portalAuth.json
touch sh/delegationgGuids.json
  1. Filter for ”DelegationToken” in developer mode in URL’s
  2. Copy object for ”Request Payload”
image
  1. Paste object into this workspace as ”sh/portalAuth.json”
image
  1. Paste session guids into this workspace as ”sh/delegationgGuids.json” "browserId=234f7f49-d517-4590-b295-cd08618d966c; portalId=234f7f49-d517-4590-b295-cd08618d966c"
image
image
  1. Run node sh/getDelegationTokens.js getDelegationTokens
  2. In Azure CLI run az resource list to verify that the access works
image

0 comments on “Highly experimental – Bypassing trusted Device requirements for Azure CLI in restricted environments where API’s are only available for browser sessions

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

Gravatar
WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Peruuta

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: