Azure AD Admin Consent Bypassed by Service Principal
A service principal in Azure Active Directory is assigning app roles without standard admin consent, potentially leading to unauthorized privilege escalation by exploiting automation to assign sensitive permissions without proper oversight.
This threat focuses on the bypass of admin consent processes in Azure Active Directory (Azure AD) by service principals. Attackers can exploit service principals to assign application roles without undergoing the standard admin consent workflow. This activity is detected via Entra ID logs, specifically monitoring the "Add app role assignment to service principal" operation. While legitimate automation use cases exist, unauthorized assignment of sensitive permissions can severely compromise the security of the Azure AD environment. The observed activity allows attackers to automate the granting of permissions, bypassing security controls and potentially leading to privilege escalation or data exfiltration. This technique is particularly relevant given the increasing reliance on service principals for automation within cloud environments.
Attack Chain
- The attacker gains control of a service principal, either through compromised credentials or a misconfigured application.
- The compromised service principal is used to interact with the Azure AD Graph API or Microsoft Graph API.
- The attacker crafts API requests to add app role assignments to other service principals or user accounts.
- The
operationNameis logged as "Add app role assignment to service principal" within the Azure AD audit logs. - The API requests specify the
roleIdandprincipalIdfor the desired permission assignment. - The attacker leverages the automation capabilities of the service principal to rapidly assign multiple roles.
- The targeted service principals or user accounts gain elevated privileges within the Azure AD environment.
- With elevated privileges, the attacker can access sensitive data, modify configurations, or create new administrative accounts.
Impact
Successful exploitation of this technique can lead to a significant compromise of the Azure AD environment. Attackers can escalate privileges, gain unauthorized access to sensitive data, and potentially disrupt business operations. The automated nature of service principal-based attacks allows for rapid and widespread privilege escalation, impacting multiple users and resources. This can lead to data breaches, financial losses, and reputational damage.
Recommendation
- Deploy the provided Sigma rule to detect instances where a service principal assigns app roles without admin consent, focusing on the
azure_monitor_aaddata source (Sigma rule). - Review and audit existing service principal configurations to identify potentially overly permissive roles and access rights.
- Implement stricter controls and monitoring for service principal activities, including logging and alerting on unusual role assignments.
- Investigate any alerts generated by the provided Sigma rule, focusing on the
src_user,user,roleId, androleValuefields to determine the scope and impact of the activity. - Filter known legitimate service principal activity in the Sigma rule to reduce false positives, based on your organization's specific automation practices.
Detection coverage 2
Azure AD Service Principal App Role Assignment
mediumDetects when a service principal assigns app roles in Azure AD, which could indicate privilege escalation.
Azure AD Add Member to Role by Service Principal
mediumDetects when a service principal adds a member to a role in Azure AD, which could indicate privilege escalation.
Detection queries are available on the platform. Get full rules →