Eric Woodruff [MS MVP] Jun 29, 2025

Going right from @WEareTROOPERS in Heidelberg to @fwdcloudsec in Denver ✈️ - from one excellent conference to another!

I’m looking forward to speaking Monday @ 2:00pm in track 1 on the dangers of #nOAuth, with some new and tweaked slides and talking points!

#Entra #EntraID #infosec #cybersecurity #mvpbuzz

Eric Woodruff [MS MVP] Jun 25, 2025

At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications.

The attack is still alive and well.

You can read all about it here:

#Entra #M365 #infosec

https://www.semperis.com/blog/noauth-abuse-alert-full-account-takeover

New nOAuth Abuse Alert: Entra Cross-Tenant Saas Apps at Risk

Think nOAuth abuse is old news? We wish. Our recent testing shows that nearly 10% of apps in the Microsoft Entra Gallery remain vulnerable.

Semperis
Dustin SchutzeichelJun 22, 2023

❗️Developers of #AzureAD multi-tenant apps with #SSO based on #OpenIDConnect should take care to use immutable claims (tid + oid) of the JWT token instead of mutable claims (email) to uniquely identify and authorize access for signed-in users. #nOAuth

https://www.descope.com/blog/post/noauth

nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover

This blog will cover an authentication implementation flaw Descope discovered in Microsoft Azure AD OAuth applications that, when exploited, could lead to full account takeover.