tldr: Microsoft provides a web service that returns user authentication tokens based on port of the request for users using the service without the user having to validate their identity!
The default values of the service include Managed Identity being set to ON.
This default means you don't have to provide or rotate any secrets and the service (which you can get a token to without authenticating) has access to all resources that can be authenticated with Active Directory. So full compromise at root level through a GET request to an endpoint with no authentication.
The default values of the service include Managed Identity being set to ON.
This default means you don't have to provide or rotate any secrets and the service (which you can get a token to without authenticating) has access to all resources that can be authenticated with Active Directory. So full compromise at root level through a GET request to an endpoint with no authentication.
Do I have this right? Wow.