Leaked Azure AD (Entra ID) Credentials Expose Cloud Environments to Attack

Exposed configuration files could give hackers unauthorized access to Azure AD and critical cloud resources.

DevOps code

Key Takeaways:

  • Exposed appsettings.json files can leak Azure AD credentials.
  • Hackers can abuse leaked secrets to gain OAuth 2.0 access tokens.
  • This flaw risks deep infiltration into Azure cloud environments.

Cybersecurity researchers have discovered a critical flaw where Azure Active Directory (Azure AD) application credentials were left exposed in a publicly accessible appsettings.json file. This misconfiguration could let attackers exploit Microsoft’s OAuth 2.0 endpoints to gain unauthorized access and infiltrate Azure cloud environments.

The risk of exposed appsettings.json files

appsettings.json is a configuration file commonly used in ASP.NET Core applications to store application settings in a structured JSON format. It typically contains key-value pairs for things like database connection strings, API keys, logging configurations, and authentication credentials. This file helps developers manage environment-specific settings without hardcoding them into the application’s source code.

The appsettings.json file often includes sensitive information (such as Azure AD credentials or third-party service secrets), and it’s crucial to secure appsettings.json properly. If exposed publicly, it can lead to serious security breaches, allowing attackers to access cloud resources or impersonate trusted applications.

How attackers exploit leaked Azure AD credentials?

Cybercriminals could exploit this flaw by locating a publicly accessible appsettings.json file that contains Azure AD credentials (specifically the ClientId and ClientSecret). These credentials are intended for secure communication between applications and Azure services. Once exposed, they could allow unauthorized users to authenticate with Microsoft’s identity platform using the OAuth 2.0 Client Credentials flow. This process lets the hacker acquire an access token that acts like a digital key to interact with Microsoft services.

With this token, the attacker could then query the Microsoft Graph API to gather information about users, groups, and roles within the organization’s Azure AD tenant. They could also query the Microsoft Graph API to get details about OAuth2 permission grants within the tenant. The access token lets attackers analyze group data to uncover high-privilege roles and critical teams, helping them map the organization and identify valuable targets.

Cloud architects often unintentionally expose sensitive information by placing secrets like Azure AD credentials or database keys directly into configuration files such as appsettings.json.This issue makes cloud environments more vulnerable due to risks like misconfigured public servers and poor deployment practices. These hardcoded secrets can be easily accessed by hackers, which leads to serious security breaches.

“What appears to be a harmless JSON configuration file can in reality act as a master key to an organization’s cloud kingdom. By exposing appsettings.json to the Internet, developers unintentionally hand over direct access tokens to attackers — tokens that can unlock Azure AD identities, Microsoft Graph data, storage accounts, and even highly privileged administrator functions,” the Resecurity’s HUNTER team explained.

Leaked Azure AD Credentials in appsettings.json Open Door to Cloud Attacks
Enumerating Users via Microsoft Graph (Image Credit: Resecurity)

Best practices to prevent Azure secrets exposure

To avoid Azure secrets exposure, organizations should adopt secure secrets management practices instead of hardcoding sensitive values into configuration files like appsettings.json. This includes using dedicated tools such as Azure Key Vault, AWS Secrets Manager, or similar services to store and retrieve secrets securely.

Additionally, developers should ensure that configuration files are not publicly accessible, especially on internet-facing servers, and follow proper deployment procedures that prevent accidental exposure. Regular security audits and automated scanning tools can also help detect misconfigurations before they become vulnerabilities.