During the mid-year of the past year, Microsoft reported a serious data breach incident due to hackers successfully hacking into the Azure AD key. This allowed them to impersonate any user in Azure AD. Microsoft stated that they have not yet found an avenue where the key leaked, but recently they released a report stating that they have found a possible avenue.
The report specifies that the Azure AD server crashed once in April 2021, resulting in the system sending crash dump files to the bug system. Generally, dump files should not contain keys, but due to an error, the key leaked and ended up in the bug system.
Afterwards, the Storm-0558 group managed to hack into the account of one of Microsoft’s engineers. This engineer had access rights to the bug system, allowing them to read the dump files. However, Microsoft does not have clear logs on how the perpetrator gained access to steal the key.
Another issue is that the leaked key belonged to Azure AD consumer users, who should not be able to pretend to be organizational users. The keys were separated since 201, but the library to verify digital signatures has not been separated. As a result, the login verification process allows consumer users to sign in as organizational users.
Microsoft reported all the errors that led to the hacker acquiring the key this time, along with confirming that they have addressed all of them.
TLDR: Microsoft reported a severe data breach in Azure AD due to a successful hack of the key. The company discovered possible avenues where the key leaked. The breach included a server crash and compromised engineer account. The leaked key belonged to consumer users, enabling them to impersonate organizational users. Microsoft has addressed all the issues and fixed them.