Unusual Federation Signing Certificate Validity Period

For federated domains, unlike managed domains, a third-party identity provider, such as a Microsoft AD FS server, handles authentication instead of Entra ID. In this setup, Entra ID establishes a trust relationship with the identity provider.

When AD FS acts as the identity provider, it generates signing certificates with a default validity period of one year. Although you can change this duration, it remains prevalent in most environments.

Therefore, it's important to note that this heuristic serves as an indication requiring comparison with the effective configuration of the identity provider, but is not a direct Indicator of Compromise (IoC). Instead, it offers a behavioral indication observed in certain Entra ID attacks, such as the Solorigate attack.

Additionally, it's important to note a limitation: the IoE would not detect an attacker who inserts a rogue signing certificate with a duration of one year (the default value of the option) or the same duration as a normal signing certificate in your environment.

First, validate that the signing certificate associated with the federated domain is legitimate and that you created it yourself with the specified configuration in your identity provider.

To check the list of federated domains in the Azure portal, navigate to the "Custom domain names" blade and identify those marked with a checkmark in the "Federated" column. The potentially malicious domain will have the same name as indicated in the finding. However, unlike the MS Graph API, the Azure portal does not display the federation's technical details.

PowerShell cmdlets from MS Graph API allow you to list the domains with Get-MgDomain and their federation configuration with Get-MgDomainFederationConfiguration:

Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain -All | Where-Object { $_.AuthenticationType -eq "Federated" } | ForEach-Object { $_ ; Get-MgDomainFederationConfiguration -DomainId $_.Id }

If you configured the validity period differently in the identity provider trusted by Entra ID, adjust the value of the associated option accordingly. Alternatively, consider allowing the signing certificate through an exclusion if this configuration is specific to your setup.

In the alternate scenario, conduct a forensic investigation to determine whether a compromise of the federated domain occurred and to assess the extent of the breach. Given the elevated privileges necessary for installing this type of backdoor (typically requiring the "Global Administrator" role, alongside lesser-known Entra roles), a potential full compromise of Entra ID is likely.

After saving evidence for eventual forensic analysis:

• If the domain is illegitimate, remove it using Remove-MgDomain.
• If the domain is legitimate but the federation configuration is malicious, remove the federation configuration using Remove-MgDomainFederationConfiguration.

If this federated domain contains other legitimate signing certificates, it should be re-created with those manually afterwards.

Name: Unusual Federation Signing Certificate Validity Period

Codename: UNUSUAL-FEDERATION-SIGNING-CERTIFICATE-VALIDITY-PERIOD

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure