# AZ\_APP\_ADMIN ## Summary | | | | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_APP\_ADMIN | | **Entra ID (Azure AD) Alias** | Application Administrator | | **Affected Object Types** | App registrations (Applications) & Enterprise applications (Service Principals) | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Membership in the **Application Administrator** directory role (direct assignment or via a role-assignable group). This role can create and manage enterprise apps and app registrations. It can also grant consent for delegated permissions and application permissions excluding Microsoft Graph. | ## Description `AZ_APP_ADMIN` represents the ability for a principal to operate as an **Application Administrator** in Microsoft Entra ID. Principals with the Application Admin role can control tenant-resident apps. An Application Administrator can create and manage applications in the tenant. This includes app registrations and enterprise applications. This role can manage application proxy settings. By controlling application objects, an attacker can: * Add credentials to applications and service principals and impersonate them. * Modify app configuration to redirect authentication flows or trust relationships. * Grant consent to permissions (within role limits) and expand what an application can do. * Assign owners or change access paths to establish persistence. Therefore, any identity that holds the Application Administrator role can escalate privileges by taking control of application identities and their permissions. ## Identification ### PowerShell (Microsoft Graph) List all members of the **Application Administrator** role, expanding groups to show effective members. ```powershell # Application Administrator role definition ID $roleId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" # Get all role assignments $assignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" -ExpandProperty principal $assignments | ForEach-Object { $p = $_.Principal $type = $p.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', '' if ($type -eq 'group') { # Expand group members transitively Get-MgGroupTransitiveMember -GroupId $_.PrincipalId | ForEach-Object { [pscustomobject]@{ DisplayName = $_.AdditionalProperties.displayName Type = $_.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', '' Id = $_.Id ViaGroup = $p.AdditionalProperties.displayName } } } else { [pscustomobject]@{ DisplayName = $p.AdditionalProperties.displayName Type = $type Id = $_.PrincipalId ViaGroup = $null } } } | Format-Table -AutoSize ``` ### Azure CLI (read-only via Microsoft Graph) ```bash # Find the Application Administrator directory role az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles" --query "value[?displayName=='Application Administrator']" # List members of the role (replace {role-id} with the id from above) az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/{role-id}/members" ``` ### Azure GUI 1. Open **Microsoft Entra admin center** -> **Roles & administrators**. 2. Search and open **Application Administrator**. 3. Open **Assignments** and record: * **Active assignments** * **Eligible assignments** (if PIM is enabled) 4. If a **group** is assigned: * Enumerate its **transitive members** (nested included). 5. For high-risk tenants, document: * Business owner for each assignment * Justification and expiry (if applicable) ![UI Roles](/files/sdkyfa5oXCmLwhkWcHYL) ## Exploitation An Application Administrator can take control of application identities. The primary abuse path is: 1. **Create a new credential** (client secret or certificate) for an App Registration or Service Principal 2. **Authenticate to the tenant** as the app's service principal using the new credential 3. **Abuse whatever privileges** the service principal has (delegated or application permissions) This can be used to gain persistence and expand access. For detailed exploitation steps, see [AZ\_ADD\_SECRET](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_SECRET/README.md). ### Additional high-impact actions: * Granting permissions through consent flows (within role limits) * Modifying application configuration that impacts authentication and access * Assigning or changing owners on application objects Treat Application Administrator as a privileged role. Do not assign it broadly. ## Mitigation * Keep **Application Administrator** assignments minimal. * Use **PIM**: * Prefer **eligible** assignments. * Require MFA and approvals for activation where appropriate. * Use **Cloud Application Administrator** if you do not need application proxy management. * Prefer **custom roles** with scoped application permissions where possible. * Restrict who can grant admin consent and who can manage enterprise applications. * Review application owners and credentials regularly for sensitive apps. ## Detection Monitor Entra **Audit logs** for role assignment and application management actions. * Role assignment events: * "Add member to role" * "Add eligible member to role" * "Add scoped member to role" * Application change events (high risk): * Credential changes (certificates and secrets management) * Permission grants: * "Add app role assignment to the service principal" * "Add delegated permission grant" * "Consent to application" * Investigate: * **Initiated by (actor)** * **Target resources** * Time window and change ticket linkage ![Audit UI](/files/wsG54MyuTmAbntc8qvlb) ## References * [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications](https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices?utm_source=chatgpt.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_app_admin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.