Hackread reports that Microsoft Entra ID has been integrated with a design flaw, which could allow guests invited into an organizational Azure tenant to establish and transfer subscriptions, as well as obtain "Owner" rights over such subscriptions, without admin privileges.
Malicious actors could exploit the issue, which stems from baked-in billing permissions, by creating their proprietary Azure tenant under trial and establishing another subscription once invited by the targeted tenant, enabling privilege abuse, findings from BeyondTrust revealed. With Microsoft not expected to address the issue, which it says is intended behavior, organizations have been urged by BeyondTrust to activate subscription policies hindering guest-led transfers while omitting unnecessary guest accounts. "The problem lies in the default behavior: if this capability were opt-in, meaning guests were blocked from creating subscriptions by default, the risk would be significantly reduced, and this wouldn't pose a security concern," said BeyondTrust Senior Data Engineer Simon Maxwell-Stewart.
Malicious actors could exploit the issue, which stems from baked-in billing permissions, by creating their proprietary Azure tenant under trial and establishing another subscription once invited by the targeted tenant, enabling privilege abuse, findings from BeyondTrust revealed. With Microsoft not expected to address the issue, which it says is intended behavior, organizations have been urged by BeyondTrust to activate subscription policies hindering guest-led transfers while omitting unnecessary guest accounts. "The problem lies in the default behavior: if this capability were opt-in, meaning guests were blocked from creating subscriptions by default, the risk would be significantly reduced, and this wouldn't pose a security concern," said BeyondTrust Senior Data Engineer Simon Maxwell-Stewart.
