Azure Entra ID Sign-In Log Bypass #3 and #4: How Attackers Retrieved Valid Tokens Without Creating Any Log

The Problem

Since 2023, security researcher Nyxgeek from TrustedSec has uncovered four separate ways to authenticate against Azure Entra ID (formerly Azure AD) without generating sign-in logs. The first two bypasses only validated passwords. The latest two — disclosed today — returned fully functional bearer tokens while remaining invisible to logging.

This is critical because Azure Entra ID sign-in logs are the primary detection mechanism for enterprise security teams monitoring for credential attacks. If an attacker can validate passwords or retrieve tokens without creating logs, the entire detection framework is undermined.

The Four Bypasses

How They Work

All four bypasses exploit the OAuth2 Resource Owner Password Credentials (ROPC) flow against the Azure token endpoint (login.microsoftonline.com). The technique:

1. Craft a special HTTP POST to the token endpoint
2. Supply valid credentials (username/password)
3. Manipulate specific parameters to trigger edge-case behavior
4. Receive a valid bearer token or password confirmation
5. No log entry is created in the Entra ID sign-in logs

The first two bypasses confirmed password validity. The latest two go further — they return working tokens that can be used to access Microsoft Graph API, email, OneDrive, and other Azure resources.

Why This Is Dangerous

Invisible Password Spraying

An attacker can attempt passwords across thousands of accounts without generating any failed login alerts. Traditional brute-force detection relies on log analysis — if logs aren't created, detection fails entirely.

Token Retrieval Without Audit Trail

The latest bypasses don't just validate passwords — they return functional tokens. An attacker with a valid token can:

• Read email via Microsoft Graph API
• Access OneDrive files
• Modify Azure resources (depending on permissions)
• Exfiltrate data from Teams, SharePoint, and other M365 services

All of this happens without appearing in sign-in logs.

Enterprise Impact

Organizations rely on Azure Entra ID sign-in logs for:

• SIEM correlation — Connecting login events to other security signals
• Compliance auditing — Proving who accessed what and when
• Incident response — Investigating suspected breaches
• Identity governance — Monitoring privileged account usage

If any of these logs can be bypassed, the entire security posture is compromised.

Detection Strategies

TrustedSec provides KQL queries to detect sign-in log bypasses, but acknowledges that defensive detection is inherently limited when the logs themselves are incomplete. Recommendations include:

• Monitor network traffic to login.microsoftonline.com directly
• Use conditional access policies that require MFA (bypasses may not handle MFA flows)
• Implement additional logging layers beyond Entra ID
• Review Microsoft's security bulletins for related patches

The Pattern

Four bypasses in three years from the same researcher using the same authentication flow suggests that Microsoft's approach to logging is fundamentally flawed rather than merely buggy. Each fix addresses a specific edge case without addressing the underlying architecture.

Nyxgeek's conclusion: "By knowing about Microsoft's past mistakes, we can try to prepare for their future failures."

What Enterprises Should Do

1. Apply latest patches — All four bypasses have been fixed
2. Assume logging gaps exist — Design security processes that don't rely solely on Entra ID logs
3. Enable MFA everywhere — These bypasses target password-based flows
4. Monitor network layer — Don't rely on application-layer logging alone
5. Pressure Microsoft — Enterprise customers should demand better architectural solutions, not just individual bug fixes

Source: TrustedSec Blog