H3-2024-0012

Microsoft Entra (AzureAD) - Service Principal Takeover

Category	SECURITY_MISCONFIGURATION
Base Score	5.9

Description

Microsoft Entra uses Role-Based Access Controls (RBACs) to manage permissions within a tenant account. Some Directory Roles, such as the Directory Synchronization Accounts, can allow a user to assign themselves as the owner of an Application. Once the owner of an application, a user can create persistent credentials for the application's Service Principal.

Impact

If an attacker is able to create credential's for an application's Service Principal, they can log in as the Service Principal and perform actions as the Application, using its assigned RBACs. This capability provides the attacker a persistent and hard to detect backdoor, since Service Principal credentials do not appear in the Entra Console. If the exploited application is over-privileged an attacker could find a path to Full Account Compromise.

References

• Dirk-jan Mollema: Azure AD privilege escalation - Taking over default application permissions as Application Admin
• Fabian Bader - From on-prem to Global Admin without password reset
• Microsoft - Entra Built-In Roles
• Microsoft - What is Conditional Access?