Microsoft Azure Active Directory and Office 365 uses open standards and protocols such as OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization.
In Azure Active Directory, when a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, these access tokens are valid for one hour, when they expire, the client is redirected back to Azure AD to refresh them. The 1hr time period is long enough and there are possibilities for token exfiltration and other malicious activities can happen.
This is not just a Microsoft issue but an industry wide problem for all OAuth2.0 implementations. Meanwhile by using open standard protocols such as Continuous Access Evaluation protocol (CAEP) as described in Shared Signals and Events working group and https://openid.net/wg/sse/ Microsoft has tried to address this issue.
So, what does CAE do and how does it help us to prevent such malicious activities?
By implementing the CAE,
- User termination or password change/reset: User session revocation will be enforced in near real time.
- Network location change: Conditional Access location policies will be enforced in near real time.
- Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.
If your organization identify the risk of token exfiltration and you are not allowing your users to access office 365 resources from non-corporate network, then this is something that you must explore. Especially if you are not on Azure Active Directory Premium plans. P1 or P2. Microsoft will by default enable CAE for tenants that either do not have AAD P1/P2 or no Conditional Access policies are implemented.
Whilst, it is still not very clear from documentation, but our testing reveals that CAE works best with Conditional Access Policies for advanced networking scenarios such as blocking access to entire 365 suite outside corporate network, the traditional way of networking. For zero trust modes you are best off with Conditional Access Policies which provide the most robust access control and CAE only compliments it in scenarios where tokens can be stolen.
A balanced security approach in terms of securing endpoints with an endpoint security solution such as Microsoft Defender along with Windows 10 inbuilt credential theft guard combined can provide an active and sufficient mechanism to prevent credential theft and also can help in detecting it as such. Preventing installation of unauthorized software and avoiding granting local admin access to end users is the best preventive strategy which is age old and must still be practiced. If local admin access has to be granted for special cases, then adequate amount of monitoring has to be in place for such users and their machines.
Again, the scope of this blog is not to write about securing endpoints and hence I will stop here. For more on such setup stay tuned to my blogs as I write more about it in future.
Continuing our discussion on CAE, let’s see how we re-use the cookie that is exported from a corporate connected (secured) device and use the cookie on any BYOD machine connected from any unsecured network locations such as internet.
In my testing (limited set of tools/info), exchange online and SharePoint are the only two office 365 applications that can be prevented from accessing an exfiltered/exported token.
The following demo show you 1) how to export the cookie from corporate device, access o365 from any BYOD device—This is without CAE enabled.
2) Repeat the same with CAE enabled and see the outcome.
1) How to export the cookie from corporate device, use it on any BYOD device (without CAE enabled):
Note: This method bypass all the controls that you have implemented such as conditional access with hybrid azure AD join, Azure AD join, MFA etc.
There are various tools available to export cookie but one of the easiest way to do is, by adding the Editthiscookie plugin to your edge or google chrome browser (if you are allowed on your corporate device).
For more information, please follow the steps how to export the cookie https://samsclass.info/123/proj10/cookie-reuse.htm
Now we have understood how export the cookie and use it on BYOD to access office 365 email/SharePoint without credentials but with the use of cookies.
2) Now, we will apply the CAE to the same user/group that we have used above and see the results.
This method requires you to create named location with your corporate network zones and you need to create conditional access policy as per below.
Create a named location (required AAD P1 and above).
Now create a conditional access policy with access control Block with all network locations except the trusted (named) location that we added in the previous step.
Apply this CAE policy to the users/group who are part of the testing.
Now repeat the steps to export the cookie, go to BYOD device, import the cookie and try to access exchange online or SharePoint, you will be prompted for credential. The credential window is prompted by CAE.
For more information about Azure AD CAE, please read https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation