Giters

dirkjanm / ROADtools

A collection of Azure AD/Entra tools for offensive and defensive security purposes

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

GUI omits MFA details for non-mailbox users

rieck-srlabs opened this issue · comments

commented

Summary

According to my tests, in a development Azure tenant (no active Azure subscription, just Entra ID + O365), newly created users in Entra ID (New user > Create new user) do not have the cloudMSExchRecipientDisplayType field set (see SQL query below).

ROADTools filters out "mailbox users" in the /api/mfa endpoint. This filter also removes users missing the cloudMSExchRecipientDisplayType field. Is this expected?

Details

The MFA tab filters out "mailbox" users:

@app.route("/api/mfa", methods=["GET"])
def get_mfa():
    # First get all users with per-user MFA
    # per_user = db.session.query(AppRoleAssignment).filter(AppRoleAssignment.resourceDisplayName == "MicrosoftAzureActiveAuthn" and AppRoleAssignment.principalType == "User").all()
    # enabledusers = []
    # for approle in per_user:
    #     enabledusers.append(approle.principalId)

    # Filter out mailbox users by default
    all_mfa = db.session.query(User).filter(User.cloudMSExchRecipientDisplayType != 0, User.cloudMSExchRecipientDisplayType != 7, User.cloudMSExchRecipientDisplayType != 18).all()

In my test tenant, newly created users lack the cloudMSExchRecipientDisplayType field, as can be seen in the response to the following SQL query:

SELECT userPrincipalName, cloudMSExchRecipientDisplayType
FROM users;

returns these rows:

AdeleV@1f147m.onmicrosoft.com|1073741824
AlexW@1f147m.onmicrosoft.com|1073741824
DiegoS@1f147m.onmicrosoft.com|1073741824
GradyA@1f147m.onmicrosoft.com|1073741824
HenriettaM@1f147m.onmicrosoft.com|1073741824
IsaiahL@1f147m.onmicrosoft.com|1073741824
JohannaL@1f147m.onmicrosoft.com|1073741824
JoniS@1f147m.onmicrosoft.com|1073741824
josephine.testuser@1f147m.onmicrosoft.com|
LeeG@1f147m.onmicrosoft.com|1073741824
LidiaH@1f147m.onmicrosoft.com|1073741824
LynneR@1f147m.onmicrosoft.com|1073741824
mandatory-mfa@1f147m.onmicrosoft.com|
MeganB@1f147m.onmicrosoft.com|1073741824
MiriamG@1f147m.onmicrosoft.com|1073741824
NestorW@1f147m.onmicrosoft.com|1073741824
PattiF@1f147m.onmicrosoft.com|1073741824
PradeepG@1f147m.onmicrosoft.com|1073741824

josephine.testuser@1f147m.onmicrosoft.com and mandatory-mfa@1f147m.onmicrosoft.com have no value set for cloudMSExchRecipientDisplayType.

Documentation wanted

Side comment: What do the magic values 0, 7 and 18 stand for in the code snippet above? I found some results for 0 and 7, but nothing for 18.

commented

Thanks for the report. The filtering was indeed a bit too broad. The goal here was to filter out Exchange objects that do not represent actual users, since those won't be expected to have MFA since they don't authenticate. I have updated the filter so it doesn't filter out users without a mailbox. I'll get back to you if I can find the exact values again for documentation purposes.