H3-2024-0011

Microsoft Entra (AzureAD) - Over-Privileged Service Principal

Category	SECURITY_CONTROLS
Base Score	5.9

Description

Entra-integrated Applications require a Service Principal "account" to store and represent its permissions within a tenant account. Service Principals are assigned Application Roles that regulate the privileges and actions of the application within the tenant. Several highly-privileged Application Roles, specifically RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All, and Application.ReadWrite.All, could be overly-permissive for the application's intended use.

Impact

If an attacker is able to compromise an over-privileged Application/ Service Principal they may be able to gain Global Administrator privileges -- leading to a full Entra Account Compromise.

References

• SpectreOps - Service Principal Abuse
• Dirk-jan Mollema: Azure AD privilege escalation - Taking over default application permissions as Application Admin
• Microsoft - Using role-based access control for applications
• Microsoft - What is Conditional Access?