A new feature introduced by Microsoft in June 2023, called Azure AD Cross-Tenant Synchronization (CTS), has created a new potential attack surface that might allow threat actors to more easily spread laterally to other Azure tenants.
Azure AD CTS is a feature that allows organizations to synchronize user identities and groups across multiple Azure Active Directory tenants. This can be useful for scenarios such as mergers and acquisitions, cross-tenant collaboration, or multi-tenant applications.
Azure AD CTS works by creating a trust relationship between two or more Azure AD tenants, and then using the Microsoft Graph API to sync the selected user identities and groups. The synced identities are called shadow principals, and they have the same attributes and permissions as the original principals in the source tenant.
In a recent blog post, Vectra AI researchers highlighted a new attack vector that can be exploited by attackers using CTS. The attack works by first creating a new user account in the attacker's tenant. This user account is then granted access to the target tenant using CTS. Once the user account is synchronized to the target tenant, the attacker can then use that account to access resources in the target tenant.
How to Avoid the Azure AD Cross-Tenant Synchronization Attack
- Review your CTS configuration. Make sure that you only synchronize users and groups that need access to resources in the target tenant.
- Monitor your Azure AD logs. Look for suspicious activity, such as new users being created or access to resources being granted to unauthorized users.
- Use multi-factor authentication (MFA). MFA adds an additional layer of security to your Azure AD accounts, making it more difficult for attackers to gain unauthorized access.
The attack is particularly concerning because it can be used to gain access to resources in the target tenant even if the attacker's account is later deleted from the target tenant. This is because the user account will still be synchronized to the target tenant, and the attacker can continue to use it to access resources.
To mitigate the risk of this attack, organizations should carefully consider whether they need to use CTS. If they do decide to use CTS, they should carefully configure the feature to minimize the risk of unauthorized access. Additionally, organizations should monitor their Azure Active Directory logs for signs of suspicious activity.
Microsoft's Azure Active Directory (AD) is a cloud-based identity and access management service that provides secure authentication and authorization for millions of users and devices. Azure AD is used by many organizations to manage their cloud resources, such as Office 365, Azure, and Microsoft 365.