Loading…
← Back to schedule
Trusted, But Dangerous: Identity Abuse Through First-Party Apps in Entra
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Microsoft Entra environments rely heavily on implicit trust in Microsoft first-party applications, yet most defenders have limited visibility into how expansive that trust boundary truly is. With more than 4,000 Microsoft first-party app IDs, many operate as “ghost” applications: active in authentication and token issuance, but not clearly represented in enterprise application views or routinely monitored by defenders. This creates a significant blind spot in identity security.
This session explores how these trusted applications can be abused through Resource Owner Password Credentials (ROPC), Family of Client IDs (FOCI), and token issuance behaviors that extend access beyond what defenders typically expect. Rather than focusing on generic anomalous sign-ins, the talk centers on capability: the delegated scopes these applications request, the permissions they inherit, and how those access paths can be leveraged to persist and expand access within a tenant. These behaviors can be executed through standard Graph API interactions and demonstrate how ROPC can be leveraged to obtain tokens without interactive authentication and, in many real-world environments aligned with historical Microsoft guidance, results in effective MFA bypass conditions.
Attendees will learn how ROPC remains relevant in modern identity attacks, how first-party application trust complicates Conditional Access enforcement, and why policy evaluation differs between interactive and non-interactive authentication paths. The session also examines token lifecycle in depth, including how refresh tokens can persist for extended periods, how Continuous Access Evaluation (CAE) impacts enforcement, and why resetting user credentials does not necessarily revoke active access without additional token invalidation steps.
From a defensive perspective, this talk provides practical, immediately usable guidance. It includes KQL queries specifically designed to identify ROPC authentication activity, enumerate first-party application usage, and help defenders understand which client applications are requesting access and with what scope. It also covers Conditional Access policy considerations, validation techniques, and response actions to take during identity incidents involving token abuse.
A companion GitHub repository is included with ready-to-use KQL queries, detection logic, and example configurations. Attendees will leave with a concrete understanding of how first-party application trust can be abused, where visibility and enforcement gaps exist, and how to build effective identity-focused detection and response workflows in Microsoft Entra.
Speakers
avatar for Jon Haas

Jon Haas

Threat Hunter, Nationwide
Jon Haas is a Threat Hunter at Nationwide specializing in identity security, cloud detection engineering, and adversary tradecraft in modern SaaS environments. His work focuses on uncovering gaps in authentication controls, including OAuth abuse, first party application behavior... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link