Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MS.AAD.3.3v1 does not check for the use of Microsoft Authenticator OTPs #1487

Open
mitchelbaker-cisa opened this issue Dec 24, 2024 · 0 comments
Open

MS.AAD.3.3v1 does not check for the use of Microsoft Authenticator OTPs #1487

mitchelbaker-cisa opened this issue Dec 24, 2024 · 0 comments
Assignees
@ehaines1
Labels
bug This issue or pull request addresses broken functionality

Comments

@mitchelbaker-cisa
Copy link
Collaborator

🐛 Summary

We had a public report of MS.AAD.3.3v1 which led to a review of the MS.AAD3.3v1 output.

Implementation instructions for MS.AAD.3.3v1

Image

Step 3 of the implementation instructions indicates the following:

3. For **Allow use of Microsoft Authenticator OTP** select No.

We don't check in the Rego code if Microsoft Authenticator OTP is disabled.

In the Entra ID portal the respective setting is found by navigating through the following:
Go to Microsoft Entra admin center, click Security > Manage > Authentication methods > click Microsoft Authenticator > Configure tab.

Image

To access this setting in Rego, we can use the existing MSAuth variable then access the setting for Microsoft Authenticator OTP with the following:

# Microsoft misspells OAuth as Oath, keep this in mind when implementing
MAuthOTP := MSAuth.AdditionalProperties.isSoftwareOathEnabled # either true/false

Add the above Rego check to the MSAuthProperlyConfigured variable.

# Returns the MS Authenticator configuration settings
MSAuth := auth_setting if {
    some auth_method in input.authentication_method
    some auth_setting in auth_method.authentication_method_feature_settings

    auth_setting.Id == "MicrosoftAuthenticator"
}

# Returns true if MS Authenticator is configured per the baseline, false if it is not
default MSAuthProperlyConfigured := false
MSAuthProperlyConfigured := true if {
    MSAuth.State == "enabled"
    
    MAuthOTP := MSAuth.AdditionalProperties.isSoftwareOathEnabled # either true/false
    MAuthOTP == false

    ...
}

To reproduce

  • Go to Microsoft Entra admin center, click Security > Manage > Authentication methods > click Microsoft Authenticator > Configure tab.
  • Set the Microsoft Authenticator OTP slider in Entra ID to true/false.
  • Run Invoke-SCuBA and notice no change in the results.
  • Open the ScubaResults.json file generated from running Invoke-SCuBA.
  • ctrl + f and type "authentication_method". This will take you to the respective settings for Microsoft Authenticator.
  • Within the respective object for "Id": "MicrosoftAuthenticator", you'll find "isSoftwareOathEnabled" in the "AdditionalProperties" property.

Expected behavior

The rego should check for the Microsoft authenticator OTP setting.
@mitchelbaker-cisa mitchelbaker-cisa added the bug This issue or pull request addresses broken functionality label Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ehaines1 ehaines1

Labels
bug This issue or pull request addresses broken functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ehaines1 @mitchelbaker-cisa