ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
BP-046: Conditional Access Bypass Through Trusted Device Persistence
A critical breach pattern enabling attackers to circumvent identity controls by exploiting device trust mechanisms in Azure AD and Entra ID environments.
Understanding the Breach Pattern
This breach pattern exploits the trust relationship between identity platforms and registered devices. Attackers who compromise trusted device identities can bypass Conditional Access policies indefinitely, leveraging device compliance status to evade MFA, location controls, and other security requirements.
The attack surface includes Azure AD registered devices, hybrid-joined machines, Intune-enrolled endpoints, and any device leveraging certificates for CA evaluation. Once compromised, these devices provide persistent authenticated access that appears legitimate to security monitoring systems.
Trusted Device Types
  • Azure AD / Entra ID registered devices
  • Azure AD joined laptops
  • Hybrid AAD-joined machines
  • Intune-enrolled devices
  • Managed mobile devices
  • Device certificates in CA policies
Attacker Capabilities After Compromise
skip
Bypass Security Controls
Circumvent MFA requirements, location restrictions, and device compliance checks using trusted device status.
vpn_key
Generate Persistent Tokens
Create device-bound authentication tokens that maintain access even when user accounts are locked or restricted.
cloud_download
Silent Data Exfiltration
Extract sensitive information without triggering revalidation prompts or security challenges from Conditional Access policies.
trending_up
Privilege Escalation
Leverage trusted device posture to access administrative portals and escalate permissions within the environment.
Critical Misconfigurations Enabling This Attack
Four primary configuration weaknesses create the conditions for successful trusted device persistence attacks. These misconfigurations allow attackers to register, maintain, and exploit device identities without detection.
1
MC-451: Weak Device Registration Governance
Devices automatically registered without proper approval workflows or identity validation, enabling attackers to introduce compromised endpoints.
2
MC-452: Unsafe PRT Storage
Primary Refresh Token artifacts exposed in memory or on disk, allowing attackers to extract and replay device-bound authentication material.
3
MC-453: Overly Permissive Compliance Rules
Device compliance policies configured too broadly, enabling attackers to maintain compromised devices in "compliant" status indefinitely.
4
MC-454: Unmonitored Key Regeneration
No visibility into device key rotation or renewal events, allowing attackers to refresh device credentials without triggering security alerts.
Detection Signals and Threat Indicators
Identifying trusted device abuse requires monitoring specific authentication patterns and anomalous device behavior. These detection logics provide visibility into compromise attempts and active exploitation.
fingerprint
DL-095: Suspicious PRT Usage
Device-bound tokens accessed from unexpected networks, unusual time periods, or suspicious geographic locations indicating credential theft.
flight_takeoff
DL-025: Impossible Travel Patterns
Device identity appearing in geographically distant locations within physically impossible timeframes, suggesting token replay attacks.
cloud_queue
DL-024: Anomalous API Calls
Trusted devices making high-privilege or unusual Graph API calls inconsistent with normal device usage patterns and baselines.
schedule
DL-099: Extended Sessions
Authentication sessions persisting far beyond expected durations, indicating attackers leveraging device trust to maintain continuous access.
Attack Chain Progression
1
Stage 4: Authentication Abuse
Attacker exploits device trust to bypass authentication controls and gain initial access.
2
Stage 6: Token Tampering
Device-bound tokens extracted, replayed, or manipulated to extend unauthorized access duration.
3
Stage 8: Identity Persistence
Trusted device identity established as durable foothold, resisting credential rotation and policy changes.
4
Stage 9: Action on Objectives
Attacker executes data exfiltration, privilege escalation, or deploys additional persistence mechanisms.

Critical Insight
Trusted device compromise represents one of the most durable persistence mechanisms available to sophisticated attackers. Unlike credential-based access, device trust persists through password resets, MFA enrollment changes, and most security remediation efforts.
Effective detection requires correlation of device telemetry, authentication patterns, and API usage to identify anomalous behavior masked by legitimate device identity.
Threat Actor Attribution and TTPs
account_balance
APT29 (ICTAM-001)
Russian state-sponsored group leveraging trusted device identities for long-term stealth persistence in government and enterprise networks. Demonstrates advanced PRT manipulation techniques.
person_off
Insider Threat Groups (ICTAM-025)
Malicious insiders enrolling personal or unmanaged devices to bypass Conditional Access policies and exfiltrate sensitive data before departure.
report_problem
RaaS Affiliates (ICTAM-020)
Ransomware-as-a-Service operators hijacking Primary Refresh Tokens to avoid MFA challenges during initial access and lateral movement phases.
cloud_sync
Hybrid Access Actors (ICTAM-015)
Adversaries exploiting compliance loopholes in hybrid Azure AD environments where device trust bridges on-premises and cloud security boundaries.
Executive Threat Storylines
Understanding how this breach pattern connects to broader attack narratives helps security leaders communicate risk and prioritize defensive investments.
ETS-009: Privileged Session Hijack
Attackers compromise trusted device identity to hijack privileged user sessions, enabling automated exfiltration of critical business data without triggering security alerts or requiring additional authentication.
ETS-003: Machine Token Theft
Device-bound tokens stolen from trusted endpoints provide attackers with machine identity credentials, facilitating cloud privilege escalation and cross-tenant access in complex Azure environments.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.