Techly NewsGet the app

Get the latest tech news

Abusing Entra OAuth for fun and access to internal Microsoft applications


The Eye Security Research team has uncovered a new critical misconfiguration that exposed sensitive data at internal Microsoft applications.

In 2023, Wiz discovered that for any multi-tenant application, if you replace /common or /organizations with /<tenantid> during authentication, you will receive an access token issued by the resource tenant. We have written a small PowerShell script to quickly identify all Multi-Tenant applications in your own Entra environment and their respective redirect URIs. Our research team performs proactive scans and threat intelligence operations across the region to defend our customers and their supply chains.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Microsoft

Microsoft

Photo of Access

Access

Photo of consent

consent

Related news:

News photo

Microsoft investigates Israeli military’s use of Azure cloud storage

News photo

Microsoft sued for discontinuing Windows 10 support

News photo

OpenAI's GPT-5 is now free for all: How to access and everything else we know

« The Scroll Art (Animated ASCII) Museum
Attorneys general nationwide target voice providers to curb robocalls »