AZ_APP_ADMIN
Summary
FSProtect ACL Alias
AZ_APP_ADMIN
Entra ID (Azure AD) Alias
Application Administrator
Affected Object Types
App registrations (Applications) & Enterprise applications (Service Principals)
Exploitation Certainty
Certain
Graph Permission / Role
Membership in the Application Administrator directory role (direct assignment or via a role-assignable group). This role can create and manage enterprise apps and app registrations. It can also grant consent for delegated permissions and application permissions excluding Microsoft Graph.
Description
AZ_APP_ADMIN represents the ability for a principal to operate as an Application Administrator in Microsoft Entra ID.
An Application Administrator can create and manage applications in the tenant. This includes app registrations and enterprise applications. This role can manage application proxy settings.
By controlling application objects, an attacker can:
Add credentials to applications and service principals and impersonate them.
Modify app configuration to redirect authentication flows or trust relationships.
Grant consent to permissions (within role limits) and expand what an application can do.
Assign owners or change access paths to establish persistence.
Therefore, any identity that holds the Application Administrator role can escalate privileges by taking control of application identities and their permissions.
Identification
PowerShell (Microsoft Graph)
Azure CLI (read-only via Microsoft Graph)
Azure GUI
Exploitation
An Application Administrator can take control of application identities. This can be used to gain persistence and expand access.
Common high-impact actions include:
Adding new credentials (client secrets or certificates) to an application or service principal.
Granting permissions through consent flows (within role limits).
Modifying application configuration that impacts authentication and access.
Assigning or changing owners on application objects.
Treat Application Administrator as a privileged role. Do not assign it broadly.
Mitigation
Keep Application Administrator assignments minimal.
Use PIM:
Prefer eligible assignments.
Require MFA and approvals for activation where appropriate.
Use Cloud Application Administrator if you do not need application proxy management.
Prefer custom roles with scoped application permissions where possible.
Restrict who can grant admin consent and who can manage enterprise applications.
Review application owners and credentials regularly for sensitive apps.
Detection
Monitor Entra Audit logs for role assignment and application management actions.
Role assignment events:
“Add member to role”
“Add eligible member to role”
“Add scoped member to role”
Application change events (high risk):
Credential changes (certificates and secrets management)
Permission grants:
“Add app role assignment to the service principal”
“Add delegated permission grant”
“Consent to application”
Investigate:
Initiated by (actor)
Target resources
Time window and change ticket linkage
References
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles
https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices
Last updated
Was this helpful?