Ever feel like airport security is a chore? You are juggling shoes in one hand, your laptop in the other, praying you will not lose a sock in the process. It is inconvenient鈥攂ut it is also what keeps everyone on board safe. Microsoft鈥檚 Conditional Access Policies (CAPs) operate much the same way, verifying users and devices at sign-in before letting them into your organization鈥檚 cloud resources.
But similar to someone being able to theoretically sneaking a small contraband item through a busy security line, misconfigured CAPs can leave your Microsoft 365 tenant vulnerable. This post explores how attackers sidestep Conditional Access, why the Intune enrollment gap is so sneaky, and how you can stop malicious actors before they roam your cloud unchecked.
The CAP blind spot: 鈥極nce you are in, you are in鈥�
Conditional Access only watches the front door. After someone successfully signs in, CAPs typically do not keep re-validating device compliancy or user identity. If an attacker steals valid credentials鈥攐r worse, a Multi Factor Authentication (MFA) session token鈥攖hey might slip past any future checks like a stowaway.
Organizations often enforce 鈥榤anaged device only鈥� or 鈥榙omain-joined device only鈥� rules for added security. But if there is even a small crack鈥攍ike an app that does not require MFA鈥攁n attacker can exploit it. All it takes is one misconfiguration or overlooked exception, and the doors to SharePoint, Outlook, or Azure remain wide open for someone with the right token.
The Intune enrollment bypass (a.k.a. 鈥楾okenSmith鈥�)
Intune, Microsoft鈥檚 device management platform, needs to let fresh or factory-reset devices enroll. That means users can download the Company Portal app and sign in鈥攅ven if their device is not marked as compliant yet. Makes sense for new employees, right?
The trouble is, some attackers have reverse-engineered this enrollment flow to obtain tokens for apps beyond the Company Portal.
As a result, they can misuse these tokens to gain unauthorized access to Microsoft 365 applications. Security researcher Dirk-Jan Mollema first discovered that the Company Portal app, identified by the client ID 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223, could be exploited in this way.
Tools like by JumpsecLabs automate this process, allowing attackers to request a token (intended for Intune enrollment) and then reuse or exchange it for full-blown Microsoft 365 access. If your Company Portal sign-in does not enforce MFA or other strong checks, it is like handing over a master key.
Quick at-home test
- Take a clean Windows VM or a personal device not managed by your organization
- Download the Company Portal app.
- Sign in with your corporate account.
- If you are able to get in without being forced to MFA or meet device compliance, you have got a glaring gap.
Why 鈥楳anaged Device鈥� is not always enough
Many businesses assume the setting 鈥榦nly managed devices can access resources stops attackers cold. But as soon as an attacker gets valid credentials, they can poke around to find any conditional access rule that is less strict鈥攍ike the Company Portal. They can then request an enrollment token and exchange it for full-blown access, neatly bypassing the 鈥榤anaged device鈥� requirement.
From a red team perspective, it is fascinating鈥攁nd from a security perspective, it is terrifying. Once in, an attacker can read emails, mess with SharePoint permissions, or even escalate privileges.
Four steps to keep attackers grounded
- Require MFA on Intune Enrollment
Even brand-new or freshly reset devices should face an MFA prompt before they can enroll. It is a small inconvenience for legitimate users, but it massively raises the bar for would-be attackers. - Set Explicit 鈥楤lock鈥� Policies
Do not rely on implicit blocks. If your policy states 鈥榦nly managed devices are allowed鈥�, be sure you also define a rule that explicitly denies access when the device is not compliant. Gaps occur when we forget to set 鈥楤lock everything else鈥�. - Watch for Suspicious Company Portal Sign-Ins
If new device enrollments are rare in your environment, look for odd sign-in patterns-like someone enrolling from a random IP address at 2 a.m. or from a suspicious geographic location. Unusual sign-ins to the Company Portal followed by immediate activity on Microsoft Graph or SharePoint should raise red flags. - Strengthen Authentication
Consider passwordless methods like FIDO2 keys or certificate-based authentication. These approaches require cryptographic proof tied to physical devices, making it far harder for attackers to reuse tokens or credentials.
Common attack scenarios
There are several common attack scenarios where attackers can abuse this vulnerability:
1. Phishing & Man-in-the-Middle
Attackers trick a user into a fake sign-in page, capture not just the username/password but also the MFA code. They use that valid session token to log in, bypassing CAP checks after the initial sign-in.
2. Token reuse
Tokens from Intune, Teams, or Outlook can often be exchanged for broader access to Microsoft 365. If your CAP is not reevaluating compliance or MFA at each resource, an old refresh token might open new doors.
3. Brute-forcing policy gaps
Attackers systematically try different client IDs (for Teams, SharePoint, Company Portal, etc.) to see which ones slip past your CAP. Once they find a path, they can quietly exploit it until you notice鈥攐r until it is too late.
The Big Question: Is your front door locked while a window stays open?
Conditional Access is powerful, but only if it is configured to block every path attackers might take. If just one enrollment policy or legacy app bypasses your robust checks, it is all for nothing. Attackers know this, and so should you.
Auditing your policies
Microsoft offers tools like the workbook for Sentinel, but it is not a magic bullet. You will need to combine logging data, custom detection scripts, and a healthy dose of diligence to pinpoint vulnerabilities. The by Jasper Baes complements this by mapping CAPs to users and visualizing their impact, aiding in gap detection and compliance assessments.
Detection & mitigation considerations
While the specifics of log queries and detection mechanisms are discussed in detail , the core defensive strategy is to monitor for anomalous sign-ins. In practice, any successful login to the Company Portal from a device that is not fully compliant should trigger an immediate investigation. Look for patterns such as unusual geographies, odd timing (for instance, sign-ins at 2 a.m.), or subsequent activity that quickly escalates privileges.
It is a stark reminder that while Conditional Access policies are robust when configured correctly, every additional path鈥攅specially those designed for new device enrollments鈥攏eeds extra vigilance. The real-world exploit demonstrates that attackers are adept at finding the tiniest misconfiguration. Ensuring that enrollment flows enforce MFA and strict compliance, and that your monitoring systems are tuned to catch these subtle deviations, is paramount.
Final thoughts
Treat every access token like a security badge that grants wide-ranging permissions. Enforce MFA everywhere you can, actively block unapproved apps or device states, and pay special attention to those 鈥榝irst-time鈥� sign-ins via the Company Portal. With careful configuration and continuous auditing, you can ensure your Conditional Access Policies do more than just check boarding passes鈥攖hey will keep the entire flight secure.