Skip to content

Injecting an Azure Entra ID MFA Credential

In October 2024, Microsoft began enforcing mandatory Multifactor Authentication (MFA) for some Azure services and resources. In order to maintain support for Azure credential injection, NodeZero now supports OAuth 2.0 Device Code Flow to authenticate and authorize the use of an Entra ID credential for pentests.

Injecting an Azure MFA Credential for the Azure Entra ID pentest

When configuring an Azure Entra ID Pentest, users will now be prompted to provide their Azure tenant ID instead of a cleartext username and password. NodeZero will utilize the tenant ID to begin the Device Code Flow once the pentest starts. Screenshot

After the pentest is configured and begins provisioning, the user will automatically be re-directed to the Real Time View (RTV) and will see an "Azure MFA Credentials" box indicating they will be notified once an MFA code is available for them to finish authentication. Screenshot

Once the pentest begins, NodeZero will start the Device Code Flow and will display a MFA code that the user will use to complete the authentication/authorization. Users will also receive an email notification that the MFA code is available in the pentest's RTV.

Injecting an Azure MFA Credential from the Real Time View (RTV)

User's can inject an Azure MFA Credential utilizing the "Inject Credentials" button on a pentest's RTV page. After selecting "Azure MFA" from the dropdown menu, user's will be prompted for their Azure Tenant ID. Once submitted, it may take approximately 2 minutes during a live/running pentest for NodeZero to provide the required MFA code from Microsoft. Screenshot

Completing Authentication/Authorization

Once NodeZero receives the MFA code from Microsoft, user's have 15 minutes to return to the pentest's RTV in portal and complete Authentication/Authorization. If a user fails to return to the NodeZero portal to complete authentication/authorization, NodeZero will automatically re-request a new MFA code two additional times before the user must manually initiate the Device Code Flow again.

Screenshot

The user must copy the MFA code and navigate to the authentication URL provided: https://microsoft.com/devicelogin.

Screenshot

Once the user interactively authenticates to Microsoft, they will be prompted to authorize NodeZero access to the tenant.

Screenshot

Note

NodeZero utilizes the client id for "Microsoft Azure Powershell" when requesting authorization for the Device Code Flow. A lot of common attacker capabilities utilize this client ID, as Microsoft Azure Powershell, being a first party Microsoft utility, has default delegated permissions to several valuable resources such as the MS Graph API. NodeZero does NOT use this client id for password spray or user enumeration activities.

The alternative would be for NodeZero to register an Enterprise Application with your tenant and administrators provide explicit directory and app roles/permissions for NodeZero. This is not an action an unannounced attacker or penetration tester would perform.

Once Authorization is granted, NodeZero will receive tokens for the selected identity to access Azure resources.

Screenshot