Lateral Movement in Azure AD: What Still Works in 2025

Identity (Active Directory and Entra ID)

Everyone says their environment is “Zero Trust.”
Then a token from a hybrid-joined machine allows silent lateral movement without triggering a single alert.

In many hybrid Azure AD environments — especially those with legacy sync setups and incomplete policy enforcement — lateral paths are still open.
The attack surface has changed, but not disappeared.

What Still Works (Too Well)

Primary Refresh Tokens (PRTs)

A Primary Refresh Token (PRT) is issued when a user signs into a Windows 10+ device that is Azure AD joined, hybrid-joined, or Intune-compliant.
It allows seamless access to Microsoft cloud resources without requiring the user to re-authenticate.

The PRT is stored in memory (LSA), and unless hardened, can be extracted by an attacker with local system access — via malware, credential dumping, or token theft techniques.

Once in possession of a valid PRT and session key, an attacker can:

  • Request new access tokens via the /token endpoint (OAuth2)
  • Silently access services like Graph API, Exchange Online, Teams, or SharePoint
  • Maintain persistence using only token refreshes, without re-authentication or user interaction

This type of lateral movement is extremely difficult to detect:

  • No password is used
  • MFA is not triggered (the PRT has already passed it)
  • Sign-in logs may not appear, depending on the app/token usage pattern

If the PRT lifecycle isn’t monitored and contained, lateral movement remains trivial.

Overprivileged Service Principals

In many tenants, service principals are created for integrations, scripts, or automation tools — and left running without regular permission audits.

Common issues include:

  • Directory-wide roles (Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory)
  • Application owners assigning elevated roles to themselves
  • Lack of AppRoleAssignment reviews or expired credential cleanups

Once accessed, these identities enable attackers to create users, assign roles, and persist with minimal noise.

Forgotten Devices, Valid Tokens

Devices that are no longer in use, non-compliant, or even not in possession of the user can still hold valid session tokens.

Common causes:

  • No automatic device cleanup in Entra ID / Intune
  • Hybrid-joined machines left in AD and Azure AD after decommission
  • Weak or unused compliance policies

If Conditional Access treats “Azure AD joined” as equivalent to “trusted,” attackers can replay tokens from unmanaged or stale machines.

A CVE Still Relevant in 2025

CVE-2022-26923 exposed a flaw in how computer objects register certificates in Active Directory, allowing escalation via certificate request tampering.

In hybrid environments, the impact is deeper:

  • AD compromise leads to elevated certificate rights
  • Attacker modifies synced identities via Azure AD Connect
  • Changes propagate to Azure AD — with full cloud access rights

What’s Getting Harder

  • Legacy authentication is being phased out, but SMTP/POP3 often remain enabled by default.
  • Browser token extraction is more difficult thanks to stronger session isolation.
  • Credential reuse is easier to detect — assuming logs are enabled and monitored.

How Conditional Access Should Be Configured to Prevent PRT Abuse

To reduce exposure from PRT abuse, Conditional Access must focus on device trust, session lifetime, and token replay protection.

  • Require compliant or hybrid-joined devices
    Require devices to be marked as compliant or hybrid-joined via Intune.
  • Block legacy authentication
    Disable SMTP, POP3, IMAP, and other basic auth protocols.
  • Limit token lifetime
    Set sign-in frequency to 1 day or less. Disable persistent browser sessions.
  • Trigger MFA on risky sessions
    Require MFA for sign-ins marked medium or high risk (based on Entra ID Protection).
  • Apply CA to all cloud apps
    Ensure critical APIs like Graph and PowerShell are included.
  • Re-authenticate for privileged access
    Enforce step-up auth for roles like Global Admin, or when accessing admin portals.
  • Enable token protection (preview)
    Bind refresh tokens to device TPM. Replay from other devices fails.

Final Thought

A diagram might show a clean, modern, zero-trust architecture.
Everything segmented, policies enforced, logs centralized.
But most real-world tenants don’t operate like that. Not consistently.

The problem isn’t always the absence of controls — it’s the false sense of coverage.

Lateral movement in Azure AD doesn’t need exploits. It needs one stale token, one forgotten device, or one overprivileged identity.

Security today isn’t about being perfect. It’s about knowing what’s still exposed — and closing the gaps fast.

Published

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.