AZ_BUILTIN_PRIVILEGED_ROLE

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Built-in Directory Role (Privileged)

Affected Object Types

Users, Groups, Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Built-in Directory Roles with elevated permissions

Description

AZ_BUILTIN_PRIVILEGED_ROLE represents built-in directory roles in Microsoft Entra ID (Azure AD) that grant significant administrative privileges. These roles are predefined by Microsoft and cannot be modified. Compromise of an account with a privileged built-in role can lead to full tenant takeover.

Important: Many of these roles cannot be scoped to Administrative Units and always operate tenant-wide.

Tier classifications:

Tier 0 - Highest Privilege Roles (Full Tenant Control)
Tier 1 - High Privilege Roles (Significant Access)
Tier 2 - Moderate Privilege Roles (Limited but Impactful)

Tier 0 - Highest Privilege Roles (Full Tenant Control):

Role

Risk Description

Global Administrator

Full control over all aspects of the tenant

Privileged Role Administrator

Can assign any role to any principal

Privileged Authentication Administrator

Can reset any user's credentials including admins

Tier 1 - High Privilege Roles (Significant Access):

Role

Risk Description

Application Administrator

Full control over all applications and service principals

Cloud Application Administrator

Manage cloud apps except App Proxy

Authentication Administrator

Can reset non-admin passwords and MFA

Helpdesk Administrator

Can reset non-admin passwords

User Administrator

Full control over non-admin users and groups

Groups Administrator

Full control over groups

Exchange Administrator

Full control over Exchange Online

SharePoint Administrator

Full control over SharePoint Online

Intune Administrator

Full control over Intune/Endpoint Manager

Azure DevOps Administrator

Full control over Azure DevOps

Hybrid Identity Administrator

Can manage Azure AD Connect and federation settings

Tier 2 - Moderate Privilege Roles (Limited but Impactful):

Role

Risk Description

Security Administrator

Manage security settings and read security data

Conditional Access Administrator

Manage Conditional Access policies

Password Administrator

Reset passwords for non-admins

License Administrator

Manage license assignments

Directory Readers

Read all directory objects

Directory Writers

Modify directory objects

Identification

PowerShell

Find All Privileged Built-in Role Assignments (PowerShell)

Connect-AzAccount

# Define privileged role display names
$privilegedRoleNames = @(
    "Global Administrator",
    "Privileged Role Administrator",
    "Privileged Authentication Administrator",
    "Application Administrator",
    "Cloud Application Administrator",
    "Authentication Administrator",
    "Helpdesk Administrator",
    "User Administrator",
    "Groups Administrator",
    "Exchange Administrator",
    "SharePoint Administrator",
    "Intune Administrator",
    "Azure DevOps Administrator",
    "Hybrid Identity Administrator",
    "Security Administrator",
    "Conditional Access Administrator",
    "Password Administrator",
    "Directory Writers"
)

# Get all directory roles
$rolesUri = "https://graph.microsoft.com/v1.0/directoryRoles"
$rolesResponse = Invoke-AzRestMethod -Uri $rolesUri -Method GET
$allRoles = ($rolesResponse.Content | ConvertFrom-Json).value

# Filter for privileged roles
$privilegedRoles = $allRoles | Where-Object { $_.displayName -in $privilegedRoleNames }

Write-Host "Found $($privilegedRoles.Count) privileged roles activated in tenant"

$results = @()

foreach ($role in $privilegedRoles) {
    $membersUri = "https://graph.microsoft.com/v1.0/directoryRoles/$($role.id)/members"
    $membersResponse = Invoke-AzRestMethod -Uri $membersUri -Method GET
    $members = ($membersResponse.Content | ConvertFrom-Json).value
    
    foreach ($member in $members) {
        $memberType = if ($member.'@odata.type') { ($member.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
        $results += [PSCustomObject]@{
            RoleName         = $role.displayName
            RoleId           = $role.id
            MemberName       = $member.displayName
            MemberId         = $member.id
            MemberType       = $memberType
            UserPrincipalName = $member.userPrincipalName
        }
    }
}

Write-Host "`nFound $($results.Count) privileged role assignments"
$results | Export-Csv -Path ".\PrivilegedBuiltinRoleAssignments.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table RoleName, MemberName, MemberType -AutoSize

Exploitation

An attacker with a privileged built-in role can perform various attacks depending on the role.

Global Administrator - Full Tenant Takeover

For detailed exploitation techniques and attack scenarios, see AZ_GLOBAL_ADMIN.

Privileged Role Administrator - Role Assignment Abuse

For detailed exploitation techniques and attack scenarios, see AZ_PRIVILEGED_ROLE_ADMIN.

Privileged Authentication Administrator - Credential Reset

For detailed exploitation techniques and attack scenarios, see AZ_PRIVILEGED_AUTH_ADMIN.

Application Administrator - Application Takeover

For detailed exploitation techniques and attack scenarios, see AZ_APP_ADMIN.

Cloud Application Administrator - Cloud App Takeover

For detailed exploitation techniques and attack scenarios, see AZ_CLOUD_APP_ADMIN.

Security Administrator - Security Settings Abuse

For detailed exploitation techniques and attack scenarios, see AZ_SECURITY_ADMIN.

Mitigation

Minimize privileged role assignments:
- Regularly review who has privileged roles.
- Remove unnecessary assignments.
- Use least privilege principles.
Implement Privileged Identity Management (PIM):
- Go to Microsoft Entra ID -> Privileged Identity Management.
- Make privileged role assignments eligible instead of permanent.
- Require justification and approval for activation.
Enforce MFA for privileged roles:
- Create Conditional Access policies requiring MFA for admin roles.
- Use phishing-resistant MFA methods (FIDO2, Windows Hello).
Use break-glass accounts for Global Admin:
- Limit permanent Global Administrator assignments.
- Maintain emergency access accounts with strong controls.
Regular access reviews:
- Go to Identity Governance -> Access Reviews.
- Review privileged role assignments quarterly.
Monitor privileged role assignments:
- Alert on new privileged role assignments.
- Alert on changes to existing assignments.

Detection

Detect privileged role abuse in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add member to role
- Add eligible member to role
- Remove member from role

Monitor for:

New Global Administrator assignments.
Privileged role assignments to service principals.
Role assignments outside of change management windows.
Unusual admin activity patterns.
Password resets by privileged accounts.

References

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48

PreviousAZ_APP_ADMIN NextAZ_CLOUD_APP_ADMIN

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell

Exploitation

Mitigation

Detection

References