Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications
Black Hat USA 2025 · Day 1 · Briefings
Wouter Bernard discovered a widespread misconfiguration in Microsoft Entra ID where applications are unintentionally registered as multi-tenant, allowing any external Microsoft account holder to authenticate and — by exploiting missing issuer validation — gain full access to internal Microsoft systems. By working through the vulnerability chain, Bernard accessed 22 sensitive internal Microsoft applications, including an emergency broadcast console, a Fortune 500 customer support portal, Microsoft's internal risk register, a responsible AI operations platform, and a Windows build system whose logs contained an ESD private key. ---
AI review
Wouter Bernard found 172 unintentionally multi-tenant Microsoft internal apps, authenticated to 22 of them, and ended up in the Windows build system with an ESD private key in a log file and upload rights he describes as 'probably RCE.' The emergency broadcast console that can message every M365 admin center on Earth is an especially uncomfortable finding. Bug-bounty storytelling with genuine technical depth underneath.