Unauthorized certificate addition to Entra ID Enterprise Application
Cayosoft Threat Definition CTD-000169
Tune into Guardians of the Directory Podcast.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
The addition of a certificate to an Entra ID Enterprise Application can allow an attacker to authenticate without MFA and gain persistent access.
- Severity: High
- Platform: Entra ID
- Category: Infrastructure
- MITRE ATT&CK Tactics: Defense Evasion, Credential Access
- MITRE D3FEND Tactics: Application Configuration Hardening
Description
The addition of a certificate to an Entra ID Enterprise Application can allow an attacker to authenticate without MFA and gain persistent access. If a threat actor compromises an account with App Admin or Owner privileges, they can add credentials to an application and use it to generate OAuth tokens for persistent access.
This method is commonly exploited in OAuth abuse attacks, where attackers use newly added credentials to impersonate users, escalate privileges, or maintain unauthorized access even after an account password reset.
By monitoring this activity, organizations can detect unauthorized persistence mechanisms and prevent potential MFA bypass attacks.
Real-World Scenario
An attacker phishes an App Administrator and uses the stolen session to add an X.509 certificate to a sensitive enterprise app’s Certificates & Secrets. The attacker then uses client-credentials flow to mint tokens on demand—bypassing interactive sign-in and MFA—while rotating the certificate privately. They assign additional app roles to expand data access and exfiltrate mail and files via Graph API with minimal logs tied to a user. Cayosoft Guardian detects the new client certificate on the app and raises an alert before the backdoor is used widely.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian
Real-time alerts across AD & Entra ID with one-click rollback.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) View All Alerts and search for CTD-000169 or Unauthorized certificate addition to Entra ID Enterprise Application.
3.) Open any alert and Click for details (from Raise Threat Alert action).
4.) Evidence:
- Client certificates (list from the app’s clientCertificates).
Remediation Steps
- ) Sign in to Microsoft Entra ID Admin Center.
- ) Navigate to Microsoft Entra ID > App registrations.
- ) In the All Applications section, search for the affected application by its name or object ID.
- ) Click the Application to open its settings.
- ) Navigate to Certificates & Secrets under the Manage section.
- ) Click the Delete icon and confirm the removal.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on unauthorized certificate additions to Entra ID Enterprise Applications. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.
FAQ
Certificates enable non-interactive client credential flows. If added by an attacker, they can mint tokens without MFA and persist even after a user password reset.
Typically, Application Administrator, Cloud Application Administrator, or the Owner of the app/service principal.
Audit Owners, App role assignments, Permission grants (delegated & application), and Enterprise application → Properties → Visible to users?; review Audit/Sign-in logs around the certificate addition time.
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Unauthorized certificate addition to Entra ID Enterprise Application, you reduce attack surfaces and strengthen your organization’s overall security posture.