Abusing Entra OAuth for fun and access to internal Microsoft applications

Original Article ↗ Hacker News Discussion ↗

Microsoft security culture and risk aggregation

  • Many commenters see the incident as part of a broader pattern: rushed “make it work” engineering, legacy assumptions about “internal” apps, and later bolted‑on “Zero Trust” leading to brittle stacks.
  • There is strong concern about Microsoft’s role as a central identity/infrastructure provider (Microsoft Accounts, OneDrive, LinkedIn, OpenAI hosting) and the potential for large‑scale deanonymization or state‑level abuse.
  • Several comments mock recent AI‑heavy messaging, suggesting AI is being used both as a crutch for poor engineering and as plausible deniability for mistakes.

Cloud, Zero Trust, VPNs, and defense‑in‑depth

  • One camp argues this is exactly what happens when everything “internal” is exposed to the internet under a Zero Trust paradigm; they question why internal build and tooling apps were ever publicly reachable.
  • Others reply that classic VPN/intranet models are also dangerous: once inside, lateral movement is easy, so relying on the network boundary is fragile.
  • There’s a strong thread arguing for “defense in depth”: VPN or IP allow‑listing plus strict per‑app auth, rather than replacing one with the other.
  • Some warn that VPNs can create complacency (“it’s inside, so it’s safe”) and introduce their own high‑value attack surface, while also being operationally painful.

Entra/OAuth, multi‑tenancy, and authN/authZ pitfalls

  • The core technical criticism: Entra’s multi‑tenant model and token semantics are complex enough that even internal Microsoft teams skipped validating key claims (issuer, tenant, subject), effectively accepting any token that “looked right.”
  • A former product owner clarifies Microsoft’s guidance: validate both tenant and subject (e.g., tid+oid), not just the tenant, and points to official claims‑validation docs. Others argue this should be enforced automatically, not left as “guidance.”
  • Several recommend treating every token as potentially forged: verify all relevant fields and cross‑check with internal identity data; clearly separate authentication (who you are) from authorization (what you can do).
  • Multi‑tenant design is viewed as inherently risky: mixing attackers and victims in the same identity fabric makes cross‑tenant authorization bugs catastrophic, whereas single‑tenant setups raise the bar for attackers.
  • Some advise using Entra only for authentication and doing all meaningful authorization in‑app.

Developer experience, configuration hazards, and docs

  • Entra/OAuth configuration is widely described as a “cluster” with confusing flows, inconsistent behavior around scopes, and poor discoverability of correct patterns.
  • Lack of simple tenant allow/deny lists for multi‑tenant apps forces awkward workarounds (inviting external users, custom whitelists).
  • Several note that this complexity makes it easy—even for experts—to misconfigure security.

Bug bounties and incentives

  • Commenters are outraged that such impactful findings apparently received $0, calling Microsoft’s bug bounty “a sham” and saying many serious issues are declared ineligible.
  • Some argue this disincentivizes responsible disclosure and ensures that only attackers—rather than bounty hunters—will invest deeply in Azure/Entra exploitation.