At Black Hat USA 2024, UnOAuthorized revealed an undocumented Microsoft authorization model that allowed some unexpected actions in Entra ID (Azure AD). This included finding a path of privilege elevation from lower roles up to Global Administrator - the Domain Admin of the cloud.
But in that disclosure, some findings had to be left out. Until now.
Join us to explore the full scope of UnOAuthorized. We’ll briefly recap the original vulnerability and resolution and then unveil the remaining findings we can finally discuss. We'll cover the impact of the findings and how they're different from others, and what exactly took so long to be able to disclose.
Throughout his 25-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.
Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. Eric is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. Eric further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.