Oops, I Can Read Your Conditional Access Policies without Being an Admin -- Cybersecurity & Ransomware Live!

Blue Team

H01 Oops, I Can Read Your Conditional Access Policies without Being an Admin

05/15/2025

9:00am - 10:00am

Level: Intermediate to Advanced

Viktor Hedberg

Senior Technical Architect

Truesec

This session will look at some of the caveats with AAD Graph API. My research found that if you have a token for these APIs, you have pretty much unhindered access for reading and exporting anything that uses AAD Graph.

Including, reading Conditional Access Policies as an end user.

The session will go through how this is possible, how to do it and demoing the toolkit I created for exporting all of this data as an end user.

You will learn:

AAD Graph APIs can give an actor more read permissions than you thought
How to prevent some of this from happening in your environment
How to hunt for this using KQL