EconPapers    
Economics at your fingertips  
 

Exploiting Misconfiguration Vulnerabilities in Microsoft’s Azure Active Directory for Privilege Escalation Attacks

Ibrahim Bu Haimed, Marwan Albahar () and Ali Alzubaidi
Additional contact information
Ibrahim Bu Haimed: School of Computing Science, University of Newcastle, Newcastle upon Tyne NE1 7RU, UK
Marwan Albahar: Department of Computer Science, Umm Al Qura University, P.O. Box 715, Mecca 24382, Saudi Arabia
Ali Alzubaidi: Department of Computer Science, Umm Al Qura University, P.O. Box 715, Mecca 24382, Saudi Arabia

Future Internet, 2023, vol. 15, issue 7, 1-18

Abstract: Cloud services provided by Microsoft are growing rapidly in number and importance. Azure Active Directory (AAD) is becoming more important due to its role in facilitating identity management for cloud-based services. However, several risks and security issues have been associated with cloud systems due to vulnerabilities associated with identity management systems. In particular, misconfigurations could severely impact the security of cloud-based systems. Accordingly, this study identifies and experimentally evaluates exploitable misconfiguration vulnerabilities in Azure AD which can eventually lead to the risk of privilege escalation attacks. The study focuses on two scenarios: dynamic group settings and the activation of the Managed Identity feature on virtual devices. Through experimental evaluation, the research demonstrates the successful execution of these attacks, resulting in unauthorized access to sensitive information. Finally, we suggest several approaches to prevent such attacks by isolating sensitive systems to minimize the possibility of damage resulting from a misconfiguration accident and highlight the need for further studies.

Keywords: Azure Active Directory; cloud services; misconfiguration vulnerabilities; privilege escalation attacks; identity management; cloud-based systems (search for similar items in EconPapers)
JEL-codes: O3 (search for similar items in EconPapers)
Date: 2023
References: View complete reference list from CitEc
Citations:

Downloads: (external link)
https://www.mdpi.com/1999-5903/15/7/226/pdf (application/pdf)
https://www.mdpi.com/1999-5903/15/7/226/ (text/html)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:gam:jftint:v:15:y:2023:i:7:p:226-:d:1177589

Access Statistics for this article

Future Internet is currently edited by Ms. Grace You

More articles in Future Internet from MDPI
Bibliographic data for series maintained by MDPI Indexing Manager ().

 
Page updated 2025-03-19
Handle: RePEc:gam:jftint:v:15:y:2023:i:7:p:226-:d:1177589