Beau Bullock
How to Find MFA Bypasses in Conditional Access Policies
https://www.youtube.com/watch?v=SK1zgqaAZ2E
How to Find MFA Bypasses in Conditional Access Policies

YouTube
Nov 30, 2022 at 3:01pmWeb
Show threadBen From KCNov 30, 2022
@dafthack
So they are supporting Linux now? That's good news, used to be windows/Mac only. Have you tested using a non-existent or munged ua string? Wondering if it still fails open (but don't have an instance to test on right now)
Show threadBeau BullockDec 1, 2022
@benfromkc Just tested a few different UAs and it looks like it's not failing open for blank/random/non-existent UAs. Partial real UAs with random data on them work though (ex. "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) .1.15E148asdpofijapsdofijapsdofij").
Show threadBen From KCDec 1, 2022
@dafthack Thanks! That is great info. Your video and this thread have been really valuable, thanks for all your work!