H3-2026-0049¶

Cloud-Native Entra ID User Has Privileged Directory Role

Description¶

A cloud-native (non-hybrid) Microsoft Entra ID user holds a privileged directory role. Unlike hybrid (on-premises synced) users, cloud-native accounts exist only in the cloud, and might be overlooked during security reviews. Privileged cloud-native accounts that are compromised provide an attacker with direct access to cloud resources and the ability to escalate further within the tenant.

Impact¶

Compromise of a cloud-native privileged user grants an attacker the permissions associated with their directory role, which might include the ability to reset passwords, manage applications, modify group membership, control Intune devices, or alter conditional access policies.

References¶

• Microsoft - Entra built-in roles
• MITRE ATT&CK Technique: T1078.004: Valid Accounts: Cloud Accounts