AZ_BUILTIN_PRIVILEGED_ROLE

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Built-in Directory Role (Privileged)

Affected Object Types

Users, Groups, Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Built-in Directory Roles with elevated permissions

Description

AZ_BUILTIN_PRIVILEGED_ROLE represents built-in directory roles in Microsoft Entra ID (Azure AD) that grant significant administrative privileges. These roles are predefined by Microsoft and cannot be modified. Compromise of an account with a privileged built-in role can lead to full tenant takeover.

Tier 0 - Highest Privilege Roles (Full Tenant Control):

Role

Risk Description

Global Administrator

Full control over all aspects of the tenant

Privileged Role Administrator

Can assign any role to any principal

Privileged Authentication Administrator

Can reset any user's credentials including admins

Tier 1 - High Privilege Roles (Significant Access):

Role

Risk Description

Application Administrator

Full control over all applications and service principals

Cloud Application Administrator

Manage cloud apps except App Proxy

Authentication Administrator

Can reset non-admin passwords and MFA

Helpdesk Administrator

Can reset non-admin passwords

User Administrator

Full control over non-admin users and groups

Groups Administrator

Full control over groups

Exchange Administrator

Full control over Exchange Online

SharePoint Administrator

Full control over SharePoint Online

Intune Administrator

Full control over Intune/Endpoint Manager

Azure DevOps Administrator

Full control over Azure DevOps

Hybrid Identity Administrator

Can manage Azure AD Connect and federation settings

Tier 2 - Moderate Privilege Roles (Limited but Impactful):

Role

Risk Description

Security Administrator

Manage security settings and read security data

Conditional Access Administrator

Manage Conditional Access policies

Password Administrator

Reset passwords for non-admins

License Administrator

Manage license assignments

Directory Readers

Read all directory objects

Directory Writers

Modify directory objects

Important: Many of these roles cannot be scoped to Administrative Units and always operate tenant-wide.

Identification

PowerShell

Find All Privileged Built-in Role Assignments

Connect-MgGraph -Scopes "RoleManagement.Read.Directory"

# Define privileged role display names (IsAZPrivileged = true)
$privilegedRoleNames = @(
    "Application Administrator",
    "Application Developer",
    "Attribute Provisioning Administrator",
    "Attribute Provisioning Reader",
    "Authentication Administrator",
    "Authentication Extensibility Administrator",
    "B2C IEF Keyset Administrator",
    "Cloud Application Administrator",
    "Cloud Device Administrator",
    "Conditional Access Administrator",
    "Directory Writers",
    "Domain Name Administrator",
    "External Identity Provider Administrator",
    "Global Administrator",
    "Global Reader",
    "Helpdesk Administrator",
    "Hybrid Identity Administrator",
    "Intune Administrator",
    "Lifecycle Workflows Administrator",
    "Partner Tier1 Support",
    "Partner Tier2 Support",
    "Password Administrator",
    "Privileged Authentication Administrator",
    "Privileged Role Administrator",
    "Security Administrator",
    "Security Operator",
    "Security Reader",
    "User Administrator"
)

# Get all directory roles activated in the tenant
$allRoles = Get-MgDirectoryRole -All

# Filter for privileged roles
$privilegedRoles = $allRoles | Where-Object { $_.DisplayName -in $privilegedRoleNames }

Write-Host "Found $($privilegedRoles.Count) privileged roles activated in tenant"

$results = @()

foreach ($role in $privilegedRoles) {
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id -All
    
    foreach ($member in $members) {
        $memberType = $member.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', ''
        $results += [PSCustomObject]@{
            RoleName          = $role.DisplayName
            RoleId            = $role.Id
            MemberName        = $member.AdditionalProperties.displayName
            MemberId          = $member.Id
            MemberType        = $memberType
            UserPrincipalName = $member.AdditionalProperties.userPrincipalName
        }
    }
}

Write-Host "`nFound $($results.Count) privileged role assignments"
$results | Export-Csv -Path ".\PrivilegedBuiltinRoleAssignments.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table RoleName, MemberName, MemberType -AutoSize

Exploitation

An attacker with a privileged built-in role can perform various attacks depending on the role.

Global Administrator - Full Tenant Takeover

For detailed exploitation techniques and attack scenarios, see AZ_GLOBAL_ADMIN.

Privileged Role Administrator - Role Assignment Abuse

For detailed exploitation techniques and attack scenarios, see AZ_PRIVILEGED_ROLE_ADMIN.

Privileged Authentication Administrator - Credential Reset

For detailed exploitation techniques and attack scenarios, see AZ_PRIVILEGED_AUTH_ADMIN.

Application Administrator - Application Takeover

For detailed exploitation techniques and attack scenarios, see AZ_APP_ADMIN.

Cloud Application Administrator - Cloud App Takeover

For detailed exploitation techniques and attack scenarios, see AZ_CLOUD_APP_ADMIN.

Security Administrator - Security Settings Abuse

For detailed exploitation techniques and attack scenarios, see AZ_SECURITY_ADMIN.

Partner Tier2 Support - Delegated Admin Privilege Abuse

For detailed exploitation techniques and attack scenarios, see AZ_PARTNER_TIER2_SUPPORT.

Password/Helpdesk/Authentication/User Administrator - Password Reset Abuse

For detailed exploitation techniques and attack scenarios, see AZ_RESET_PASSWORD.

Mitigation

Minimize privileged role assignments:
- Regularly review who has privileged roles.
- Remove unnecessary assignments.
- Use least privilege principles.
Implement Privileged Identity Management (PIM):
- Go to Microsoft Entra ID -> Privileged Identity Management.
- Make privileged role assignments eligible instead of permanent.
- Require justification and approval for activation.
Enforce MFA for privileged roles:
- Create Conditional Access policies requiring MFA for admin roles.
- Use phishing-resistant MFA methods (FIDO2, Windows Hello).
Use break-glass accounts for Global Admin:
- Limit permanent Global Administrator assignments.
- Maintain emergency access accounts with strong controls.
Regular access reviews:
- Go to Identity Governance -> Access Reviews.
- Review privileged role assignments quarterly.
Monitor privileged role assignments:
- Alert on new privileged role assignments.
- Alert on changes to existing assignments.

Detection

Detect privileged role abuse in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add member to role
- Add eligible member to role
- Remove member from role

Monitor for:

New Global Administrator assignments.
Privileged role assignments to service principals.
Role assignments outside of change management windows.
Unusual admin activity patterns.
Password resets by privileged accounts.

References

PreviousAZ_APP_ADMIN NextAZ_CLOUD_APP_ADMIN

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind All Privileged Built-in Role Assignments

hashtagExploitation

hashtagGlobal Administrator - Full Tenant Takeover

hashtagPrivileged Role Administrator - Role Assignment Abuse

hashtagPrivileged Authentication Administrator - Credential Reset

hashtagApplication Administrator - Application Takeover

hashtagCloud Application Administrator - Cloud App Takeover

hashtagSecurity Administrator - Security Settings Abuse

hashtagPartner Tier2 Support - Delegated Admin Privilege Abuse

hashtagPassword/Helpdesk/Authentication/User Administrator - Password Reset Abuse

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell

Find All Privileged Built-in Role Assignments

Exploitation

Global Administrator - Full Tenant Takeover

Privileged Role Administrator - Role Assignment Abuse

Privileged Authentication Administrator - Credential Reset

Application Administrator - Application Takeover

Cloud Application Administrator - Cloud App Takeover

Security Administrator - Security Settings Abuse

Partner Tier2 Support - Delegated Admin Privilege Abuse

Password/Helpdesk/Authentication/User Administrator - Password Reset Abuse

Mitigation

Detection

References