Hidden in Plain Sight: (Ab)using Entra's AUs
2024-10-19 , ENG 103

Entra ID's Administrative Units (AU) are great for defenders… and for attackers! AUs are a useful method for creating scoped Entra ID role assignments. However, this scoping also offers juicy new methods for anyone looking to persist quietly in an Azure tenant: Obscure parameters can hide AU membership, and restrictions can prevent removal of malicious accounts. AUs are a globally-enabled tenant feature. Are you prepared to keep an eye on them?

No background necessary: We'll start by reviewing Azure permissions, Entra ID role assignment, and the advantages AUs can provide. Then, we'll demonstrate scenarios where an attacker can leverage them for invisible, privileged tenant persistence. We'll conclude with detection, remediation, and reflections on these double-edged features of user administration.


.

Katie Knowles is a Security Researcher at Datadog, focused on Azure research. Through her past roles, Katie has had the chance to approach security as both an attacker and defender, from incident response and detection engineering to penetration testing. She holds Azure (AZ-104, AZ-500) and offensive security (OSCP, GPEN) certifications.