Aggregator

Misconfigurations with MFA setups are not uncommon when using AAD, especially when federated setups or Pass Through Authentication is configured I have seen MFA bypass opportunities in multiple production tenants.

A common misconfiguration is that MFA is enforced at the federated identity provider, but AAD is forgotten and ROPC authentication still succeeds against AAD.

To learn more about ROPC, check out the previous post about the topic.

This post focuses on the ropci features that can be leveraged post-exploitation.