AZ_APP_ADMIN

Summary

FSProtect ACL Alias

AZ_APP_ADMIN

Entra ID (Azure AD) Alias

Application Administrator

Affected Object Types

App registrations (Applications) & Enterprise applications (Service Principals)

Exploitation Certainty

Certain

Graph Permission / Role

Membership in the Application Administrator directory role (direct assignment or via a role-assignable group). This role can create and manage enterprise apps and app registrations. It can also grant consent for delegated permissions and application permissions excluding Microsoft Graph.

Description

AZ_APP_ADMIN represents the ability for a principal to operate as an Application Administrator in Microsoft Entra ID. Principals with the Application Admin role can control tenant-resident apps.

An Application Administrator can create and manage applications in the tenant. This includes app registrations and enterprise applications. This role can manage application proxy settings.

By controlling application objects, an attacker can:

Add credentials to applications and service principals and impersonate them.
Modify app configuration to redirect authentication flows or trust relationships.
Grant consent to permissions (within role limits) and expand what an application can do.
Assign owners or change access paths to establish persistence.

Therefore, any identity that holds the Application Administrator role can escalate privileges by taking control of application identities and their permissions.

Identification

PowerShell (Microsoft Graph)

List all members of the Application Administrator role, expanding groups to show effective members.

# Application Administrator role definition ID
$roleId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"

# Get all role assignments
$assignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" -ExpandProperty principal

$assignments | ForEach-Object {
    $p = $_.Principal
    $type = $p.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', ''
    
    if ($type -eq 'group') {
        # Expand group members transitively
        Get-MgGroupTransitiveMember -GroupId $_.PrincipalId | ForEach-Object {
            [pscustomobject]@{
                DisplayName = $_.AdditionalProperties.displayName
                Type        = $_.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', ''
                Id          = $_.Id
                ViaGroup    = $p.AdditionalProperties.displayName
            }
        }
    } else {
        [pscustomobject]@{
            DisplayName = $p.AdditionalProperties.displayName
            Type        = $type
            Id          = $_.PrincipalId
            ViaGroup    = $null
        }
    }
} | Format-Table -AutoSize

Azure CLI (read-only via Microsoft Graph)

# Find the Application Administrator directory role
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles" --query "value[?displayName=='Application Administrator']"

# List members of the role (replace {role-id} with the id from above)
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/{role-id}/members"

Azure GUI

Open Microsoft Entra admin center -> Roles & administrators.
Search and open Application Administrator.
Open Assignments and record:
- Active assignments
- Eligible assignments (if PIM is enabled)
If a group is assigned:
- Enumerate its transitive members (nested included).
For high-risk tenants, document:
- Business owner for each assignment
- Justification and expiry (if applicable)

Exploitation

An Application Administrator can take control of application identities. The primary abuse path is:

Create a new credential (client secret or certificate) for an App Registration or Service Principal
Authenticate to the tenant as the app's service principal using the new credential
Abuse whatever privileges the service principal has (delegated or application permissions)

This can be used to gain persistence and expand access. For detailed exploitation steps, see AZ_ADD_SECRET.

Additional high-impact actions:

Granting permissions through consent flows (within role limits)
Modifying application configuration that impacts authentication and access
Assigning or changing owners on application objects

Treat Application Administrator as a privileged role. Do not assign it broadly.

Mitigation

Keep Application Administrator assignments minimal.
Use PIM:
- Prefer eligible assignments.
- Require MFA and approvals for activation where appropriate.
Use Cloud Application Administrator if you do not need application proxy management.
Prefer custom roles with scoped application permissions where possible.
Restrict who can grant admin consent and who can manage enterprise applications.
Review application owners and credentials regularly for sensitive apps.

Detection

Monitor Entra Audit logs for role assignment and application management actions.

Role assignment events:
- "Add member to role"
- "Add eligible member to role"
- "Add scoped member to role"
Application change events (high risk):
- Credential changes (certificates and secrets management)
- Permission grants:
  - "Add app role assignment to the service principal"
  - "Add delegated permission grant"
  - "Consent to application"
Investigate:
- Initiated by (actor)
- Target resources
- Time window and change ticket linkage

References

PreviousAZ_ADD_SECRET NextAZ_BUILTIN_PRIVILEGED_ROLE

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure CLI (read-only via Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagAdditional high-impact actions:

hashtagMitigation

hashtagDetection

hashtagReferences