Admin promotion after Role Management Application Permission Grant

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any A

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Entra ID
ID	f80d951a-eddc-4171-b9d0-d616bb83efdc
Severity	High
Status	Available
Kind	Scheduled
Tactics	PrivilegeEscalation, Persistence
Techniques	T1098.003, T1078.004
Required Connectors	AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	OperationName == "Add app role assignment to service principal"	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Entra ID