Bypassing MFA on Microsoft Azure Entra ID

A red team demonstrates compromising an Azure Entra ID tenant by chaining Azure Seamless SSO Kerberos ticket injection with a Conditional Access misconfiguration that bypassed MFA via a Linux user-agent, then meeting domain-joined SSO requirements using a portable Firefox and negotiate authentication to access the Azure portal without the user’s password or MFA. The report highlights common misconfigurations (overly broad Linux exclusions, policy typos/disabled rules, default MachineAccountQuota) and recommends enforcing MFA universally, setting MAQ to 0, restricting unmanaged application execution (e.g., AppLocker), and detecting suspicious logins such as mismatched device-to-user patterns.