Bypass Record
Valid Accounts × Microsoft Entra ID
A publicly-reported instance of Valid Accounts bypassing Microsoft Entra ID, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
The attack bypasses Conditional Access policies by using the device code flow against the Device Registration Service (DRS) endpoint, which was not covered by enforcement-mode policies. A phantom device is registered without hardware validation, obtaining a signed certificate and private key. This device is then used to mint a Primary Refresh Token (PRT) that carries trusted device claims, bypassing CA policies requiring compliant or hybrid-joined devices. Intune compliance is achieved by forging hybrid domain-join claims and exploiting missing health attestation treated as compliant.
Detection & mitigation
Monitor Entra ID audit logs for device code flow authentications (especially from unexpected locations), anomalous device registrations (e.g., non-Windows devices, missing hardware identifiers), and PRT issuance to newly registered devices. Enforce CA policies in enforcement mode, require MFA for all device registration, and configure Intune compliance policies to require health attestation and treat missing attestation as non-compliant.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.