H3-2024-0011
Microsoft Entra (AzureAD) - Over-Privileged Service Principal
| Category | SECURITY_CONTROLS |
| Base Score | 5.9 |
Description
Entra-integrated Applications require a Service Principal "account" to store and represent its permissions within a tenant account. Service Principals are assigned Application Roles that regulate the privileges and actions of the application within the tenant. Several highly-privileged Application Roles, specifically RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All, and Application.ReadWrite.All, could be overly-permissive for the application's intended use.
Impact
If an attacker is able to compromise an over-privileged Application/ Service Principal they may be able to gain Global Administrator privileges -- leading to a full Entra Account Compromise.
References
- SpectreOps - Service Principal Abuse
- Dirk-jan Mollema: Azure AD privilege escalation - Taking over default application permissions as Application Admin
- Microsoft - Using role-based access control for applications
- Microsoft - What is Conditional Access?
- MITRE ATT&CK Technique: T1078.004: Valid Accounts: Cloud Accounts