Summary
A bug in Entra ID restricted management administrative units allowed creating immutable users that couldn't be modified or disabled, even by Global Administrators. This could enable an attacker to protect a compromised account from containment. The issue was caused by a timing vulnerability when removing users from restricted AUs and required specific steps to remediate affected accounts.
Affected Services
Entra ID
Remediation
Add affected user to a new restricted management AU, then delete that AU without first removing the user. Wait 5-10 minutes for restricted status to clear.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Mon, Aug 19th, 2024
Exploitablity Period
Until 2025/02/22
Known ITW Exploitation
-
Detection Methods
Monitor for creation of restricted management AUs and users being added to them. Datadog Cloud SIEM provides detections for these activities.
Piercing Index Rating
-
Discovered by
Katie Knowles, Datadog Security Labs
