Chris Brumm's Blog

References

Thomas Naunheim / Entra ID Attack & Defense Playbook

• Entra ID Attack & Defense Playbook – PRT/Token Replay Chapter Thomas Naunheim & Sami Lamppu, 2022 (updated 2023). Core reference for PRT, RT, AT token types and attack scenarios. Chris Brumm listed as reviewer.

• Entra ID Attack & Defense Playbook – AiTM Chapter Thomas Naunheim & Sami Lamppu, Sept. 2024 (updated Dec. 2024). Covers AiTM attacks, GSA/Compliant Network as mitigation, and KQL hunting queries using NetworkAccessTraffic logs.

• Abuse and replay of Azure AD refresh token from Microsoft Edge in macOS Keychain Thomas Naunheim, 2022. Deep dive into macOS token storage and replay attack paths.

• Analyzing Workload Identity Activity Through Token-Based Hunting Thomas Naunheim, Jan. 2026. Token hunting for non-human identities; notes that Compliant Network and Token Protection are not available for workload identities.

• MicrosoftCloudActivity KQL Function Thomas Naunheim. KQL function for hunting token-based activity across Microsoft Cloud.

• ConsentFix Hunting Query – Confidence on Token and Network Signals Thomas Naunheim. Hunting query leveraging GSA NetworkAccessTraffic logs, WAM signals, and token binding state.

• AADOps: Operationalization of Conditional Access Thomas Naunheim. Gold standard for CA lifecycle management and automation.

glueckkanja (Co-Authored Posts)

• ConsentFix: How a New OAuth Attack Bypasses Microsoft Entra Conditional Access Fabian Bader, Chris Brumm, Thomas Naunheim, Dec. 2025. Best available comparison of Compliant Network vs. Token Protection as mitigations. Includes concrete ConsentFix/AuthCodeFix scenario and hunting queries.

• Compliant Device Bypass – All you need to know Fabian Bader, Chris Brumm, Thomas Naunheim, Jan. 2025. Relevant for Post 2 comparison of Compliant Device vs. Compliant Network.

Fabian Bader / cloudbrothers.info

• Continuous Access Evaluation Fabian Bader. Best community reference for CAE mechanics and location-based scenarios.

• EntraScopes.com Fabian Bader. Reference for first-party app permissions; includes ConsentFix-relevant apps.

Chris Brumm (Own Posts – Cross-References)

• Overview to Global Secure Access GSA client prerequisites (IPv6, Secure DNS, QUIC). Referenced in Post 1.

• Global Secure Access in Conditional Access Compliant Network + CAE combination explained. Referenced in Post 2 Part 1.

• Using Global Secure Access in Cross-Tenant scenarios B2B capabilities of GSA. Referenced in Post 2 Part 3 (Admin/PAW scenario) and Post 3 (Tenant Restrictions).

• Advanced Workbooks for Conditional Access Customized CA workbooks that extend the Microsoft-provided versions to also cover non-interactive sign-ins. Referenced in Post 2 rollout section.

Jan Bakker

• Prevent AiTM with Microsoft Entra Global Secure Access and Conditional Access Early (2023) walkthrough of AiTM prevention using GSA Compliant Network. Good configuration reference.

Derk van der Woude

• Microsoft Entra Internet Access to prevent AiTM attacks Scenario and configuration walkthrough for AiTM prevention with GSA. Referenced in Chris’ CA post.

BAADTokenBroker & PRT Cookie Theft Research

• BAADTokenBroker – Secureworks GitHub Original PowerShell post-exploitation tool by Yuya Chudo (Secureworks). Extracts PRT Cookie by talking directly to lsass, or creates one from credentials/WHfB keys. No updates since initial release.

• Black Hat Asia 2024 – Bypassing Entra ID Conditional Access Like APT Presentation by Yuya Chudo introducing BAADTokenBroker. Covers device authentication internals, attack scenarios, and mitigations.

• Ballpoint – Pass the PRT Independent confirmation that Request-PRTCookie does not require administrative rights – standard user context is sufficient. Referenced in Post 2 Part 1 demo notes.

• BAADTokenBroker – BOF Fork (C2 Integration) Community fork that ports BAADTokenBroker as a Beacon Object File for C2 frameworks like Sliver. Indicates the technique has been adopted into offensive tooling.

• DEF CON 33 (2025) – Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery Extends the BAADTokenBroker attack concept to macOS via the Intune Company Portal SSO extension. Demonstrates PRT Cookie extraction under user-level permissions by bypassing process validation. DEF CON 33, August 2025.

• TROOPERS 25 – Breaking Down macOS Intune SSO: PRT Cookies Theft and Platform Comparison Companion research to the DEF CON 33 talk. Compares Windows and macOS SSO authentication flows and security controls. Relevant context for the Windows-only disclaimer in Post 2.

• Microsoft TechCommunity – Addressing data exfiltration: Token theft Official Microsoft statement confirming that Compliant Network check via GSA protects apps not yet covered by Token Protection. Key reference for the “what GSA adds” argument in Post 2 Part 1.

PowerShell & Tooling

• Migrate2GSA Community project maintained by Microsoft employees. PowerShell-based migration toolkit for transitioning from other SSE solutions to GSA. Also useful for scripting GSA provisioning from scratch.

• Entra PowerShell Beta Module – GSA Cmdlets Microsoft.Graph.Entra Beta module with GSA-specific cmdlets for managing Private Access, profile assignments, and more. Referenced in Post 1 for scripting profile enablement.

• GSATool PowerShell-based troubleshooting tool from Microsoft. Runs 50+ tests across all GSA components without requiring module installation. Relevant for Post 4 (Coexistence) and Post 5 (Logging).

• Microsoft Graph Beta PowerShell – GSA PowerShell Samples Official PowerShell samples for GSA using Microsoft.Graph.Beta module 2.10+. Includes break-glass recovery scripts relevant for Post 2 Part 2 (Exclusions/Rollout).

Vendor Coexistence Documentation

• Configure Microsoft and Zscaler for a Unified SASE Solution Official Microsoft/Zscaler coexistence guide. Covers three deployment scenarios and required FQDN/IP exclusions. Post 4.

• Security Service Edge Coexistence With Microsoft and Netskope Official Microsoft/Netskope coexistence guide. Netskope support added July 2024. Post 4.

• Microsoft and Netskope SSE Coexistence (Netskope Docs) Netskope’s own coexistence documentation – covers required exclusions from the Netskope side. Post 4.

• Partner Ecosystem Overview Overview of all GSA partner integrations. Post 4.

Official Microsoft Documentation

• Enable Compliant Network Check with Conditional Access Post 2 – configuration reference.

• Learn about the Microsoft Traffic Profile Post 1 – endpoint list, rule behavior, forward/bypass mode. Post 4 – Forward/Bypass configuration.

• Enable Source IP Restoration with Global Secure Access Post 4 – core reference for Source IP Restoration mechanism, configuration, and P2 licensing requirement.

• Microsoft 365 Network Connectivity Principles Post 4 – Microsoft’s own guidance on M365 traffic categories (Optimize/Allow/Default) and bypass recommendations for SWGs.

• Microsoft Global Secure Access deployment guide for Microsoft Traffic Post 4 – coexistence architecture, LWF driver priority, deployment guidance.

• Global Secure Access Windows client release history Post 4 – reference for Netskope coexistence support added July 2024.

• Traffic forwarding profiles Post 1 – profile overview and processing order.

• Continuous Access Evaluation Post 2 – CAE mechanics and user condition change flow.

• Token Protection in Conditional Access Post 2 – Token Protection/Token Binding reference.

• Universal Continuous Access Evaluation (Preview) Post 2 – Universal CAE for GSA access tokens, Strict Enforcement mode.

• Universal Tenant Restrictions Post 3 – configuration reference for Universal TR via GSA.

• Tenant Restrictions v2 – Setup and Migration from TRv1 Post 3 – TRv2 policy configuration, migration guide from TRv1, and alternative enforcement mechanisms (proxy, GPO).

• Cross-Tenant Access Settings – B2B Collaboration Post 3 – Outbound Cross-Tenant Access Settings as complement to Universal TR.

• Microsoft Edge – TenantRestrictionsEnabled policy Post 3 – GPO-based enforcement via Edge for non-GSA environments.

• GSA Client for Windows Post 1 – client prerequisites (IPv6, Secure DNS, QUIC).

• Enriched Microsoft 365 Logs Post 5 – logging.

• Microsoft Digital Defense Report 2024 Post 2 – token theft doubled 2022→2023, AiTM +140% YoY.

• Microsoft Digital Defense Report 2025 Post 2 – infostealer growth as primary token delivery mechanism.

• How to break the token theft cyber-attack chain Microsoft Entra Blog. 147,000 detected token replay attacks, 111% YoY increase. Covers infostealer → browser cache → token replay chain. Post 2.