How a Microsoft Entra ID Flaw in Nested App Authentication Bypassed MFA and All Conditional Access Policies

On June 22, 2026, NetSPI researcher Thomas Byrne publicly disclosed a vulnerability in Microsoft Entra ID's Nested App Authentication (NAA) framework — also called BroCI — that allowed attackers to bypass any Conditional Access Policy (CAP), including MFA requirements, device compliance checks, and location-based controls . The flaw was patched server-side by Microsoft as a medium-severity issue, but its disclosure marked a significant moment for identity security as it was revealed alongside a second, separate bypass method and a series of enforcement changes from Microsoft.

The Vulnerability: How NAA Let Attackers Bypass All Controls

Nested App Authentication is Microsoft's custom OAuth single sign-on (SSO) mechanism designed to allow a "host" application, such as the Azure Portal, to silently broker token exchanges for nested child applications without re-prompting the user . It works by embedding special parameters (brk_client_id, brk_redirect_uri) into standard OAuth token requests to login.microsoftonline.com .

Byrne discovered that this mechanism had a critical flaw. The vulnerability specifically affected flows where the ADIbizaUX client — the Azure Portal's IAM management component — brokered a cached Azure Portal refresh token to request an access token for the Microsoft Graph API . Normally, refresh token exchanges are subject to Conditional Access evaluation, but NetSPI found that when using the NAA flow with ADIbizaUX against the Microsoft Graph resource, Conditional Access Policies were not evaluated at all . An access token was issued regardless of any configured policies. Two additional Microsoft Intune portal extension client IDs were also found to exhibit the same bypass behavior .

The Attack Scenario: Post-Compromise Persistence Without Detection

The attack requires a specific pre-condition — a stolen Azure Portal refresh token — but is highly effective for post-compromise persistence and lateral movement . The scenario unfolds in four steps:

1. Initial compromise: An attacker first steals a valid Azure Portal refresh token, for example through phishing, adversary-in-the-middle (AITM) proxy attacks targeting login.microsoftonline.com, or other token theft methods .
2. Token brokering via NAA: The attacker uses the stolen Azure Portal refresh token and the NAA brokering flow (via ADIbizaUX or the Intune portal extensions) to silently exchange it for a Microsoft Graph access token .
3. Bypass all controls: The Graph token is issued without any Conditional Access evaluation — no MFA prompt, no device compliance check, no location restriction — even if those policies are explicitly configured .
4. Persistence and lateral movement: ADIbizaUX holds broad pre-consented Graph permissions and exposes undocumented APIs for managing users, groups, service principals, applications, directories, and even Conditional Access policies — all with no logging, meaning actions go completely undetected .

The vulnerability has limitations. The stolen Azure Portal refresh token has a fixed 24-hour lifetime and is non-renewable, limiting the persistence window . The attacker must already have a victim's refresh token, making this a post-compromise escalation and persistence technique, not a remote code execution . Nevertheless, the bypass was classified as medium severity by Microsoft's Security Response Center (MSRC) .

Microsoft's Response: Server-Side Fix Without a CVE

NetSPI reported the issue to MSRC on March 17, 2026 . MSRC classified it as a medium-severity vulnerability and deployed a server-side fix. Post-patch testing confirmed that the previously successful NAA flows now correctly return AADSTS53003 access-blocked errors when a Conditional Access policy applies . Microsoft did not assign a CVE for this specific issue, and the fix required no customer action .

Broader Context: Two Conditional Access Bypasses Disclosed on the Same Day

On June 22, 2026, researchers disclosed two separate Entra Conditional Access bypass methods on the same day :

Finding	Source	Mechanism	Microsoft Response
NAA / BroCI bypass	NetSPI (Thomas Byrne)	Abusing Nested App Authentication token brokering via ADIbizaUX and Intune portal extensions	MSRC medium-severity fix; now returns AADSTS53003
Resource exclusion bypass	Dirk-jan Molenaar (dirkjanm.io)	Policies targeting "All resources" with at least one excluded resource could be bypassed for Graph tokens using only baseline OIDC/directory scopes	Microsoft acknowledged and began rolling out baseline scope enforcement starting June 15, 2026; early opt-in available via Entra Admin Center

Microsoft's Broader Conditional Access Enforcement Changes in 2026

In addition to fixing the NAA bypass, Microsoft has been progressively closing Conditional Access enforcement gaps throughout 2026:

• March 27, 2026 – June 2026 (phased): Microsoft changed how CA policies targeting "All resources" are enforced when those policies include resource exclusions. Previously, sign-ins requesting only baseline OIDC scopes (like openid, profile, User.Read) could bypass Conditional Access entirely if a policy had any resource exclusion. The enforcement change ensures policies with exclusions are still evaluated against the "All resources" scope . Microsoft notified affected tenants via Message Center entry MC1223829 .

• June 15, 2026: Microsoft began enforcement of baseline scope enforcement specifically for the resource exclusion bypass, closing the Graph token bypass route that Dirk-jan Molenaar disclosed .

• March 31, 2026: Microsoft enforced the retirement of service principal-less authentication for non-Microsoft multitenant applications. All applications must authenticate using a registered service principal; otherwise, login flows will fail .

• June 2026: Microsoft announced broader Entra ID security updates including replacing Custom controls with External MFA, enforcing Conditional Access consistently during credential registration, and requiring explicitly registered authentication methods for Self-Service Password Reset (SSPR) .

Key Takeaways for Defenders

• The NAA bypass has been fixed server-side. No tenant-side action is needed for the specific NetSPI finding .
• For the resource exclusion bypass, enable the baseline scope enforcement option in the Entra Admin Center to ensure proper CA evaluation .
• Monitor for the AADSTS53003 error code, which now correctly blocks unauthorized NAA-based token exchanges .
• The ADIbizaUX undocumented APIs that can operate without logging remain a concern — organizations should monitor Azure Portal sign-in logs and token issuance patterns closely .
• With service principal-less authentication retired as of March 31, 2026, ensure all multi-tenant apps have registered service principals .