Full Disclosure A Third (and Fourth) Azure Sign-In Log Bypas...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/full-disclosure-a-third-and-fourth-azure-sign-in-log-bypass-found
• Blog Title: Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
• Suggested Section: Azure Pentesting -> Az - Entra ID (AzureAD) & Azure IAM (add subsection: "Entra ID sign-in log bypasses / stealth token acquisition via OAuth ROPC"), or Azure Pentesting -> Az - Tokens & Public Applications (ROPC) with a detection-evasion note about missing Sign-In Logs

🎯 Content Summary

Post: TrustedSec blog post “Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found” (published March 19, 2026). The author (nyxgeek) discloses two additional Azure Entra ID sign-in log bypasses discovered as part of a series of four bypass classes found since 2023. Theme: attackers can perform password validation and (in the newer bypasses) obtain fully functioning OAuth...

🔧 Technical Details

Foreign-tenant token endpoint for stealth password validation (GraphNinja): If authentication telemetry is keyed to the tenant being targeted, an attacker can send an OAuth2 ROPC request to the token endpoint for a different tenant GUID (not the victim’s). The response can still reveal whether the submitted password is correct for the username, but the login fails because the user doesn’t exist in that foreign tenant; in the described failure mode, neither the victim tenant nor the foreign tenant produces a sign-in log entry, enabling quieter password spraying/credential checking.

Force post-password failure to hide correct guesses (GraphGhost): Deliberately break a later stage of an authentication pipeline (e.g., submit an invalid client_id) so the overall attempt is logged as “failed” even though the password validation step already succeeded. If logs don’t record the password-validation outcome, defenders cannot...

🤖 Agent Actions

Updated az-tokens-and-public-applications.md with a new ROPC-focused subsection and a concise breakdown of Entra ID sign-in log bypass classes.

The edit adds:

• A normal ROPC token request example and why public clients matter
• The three reusable bypass patterns from the research: foreign-tenant validation, post-password failure, and oversized-but-valid logging failure
• A short hunting note about correlating Graph activity with missing non-interactive sign-in logs
• The TrustedSec blog in the file’s ## References

No new files were created. I verified the final diff and markdown placement; no automated tests were applicable for this docs-only change.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/full-disclosure-a-third-and-fourth-azure-sign-in-log-bypass-found

Content Categories: Based on the analysis, this content was categorized under "Azure Pentesting -> Az - Entra ID (AzureAD) & Azure IAM (add subsection: "Entra ID sign-in log bypasses / stealth token acquisition via OAuth ROPC"), or Azure Pentesting -> Az - Tokens & Public Applications (ROPC) with a detection-evasion note about missing Sign-In Logs".

Repository Maintenance:

• MD Files Formatting: 583 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0