Microsoft Entra Token Theft - Part One: Offline Access and Conditional Access

This blog post demonstrates token-theft and replay attacks against Microsoft Entra (Azure AD), showing how insecure storage of refresh/access tokens (and the offline_access scope) enables persistence and data exfiltration. The author reproduces attacks using TruffleHog and custom scripts, highlights shortcomings in conditional access and token binding, shows misleading authentication and Graph logs, references real-world supply-chain incidents, and provides detection/hunting rules for Log Analytics/Graph activity to detect token replay and exfiltration.