# AZ\_BUILTIN\_PRIVILEGED\_ROLE ## Summary | | | | ----------------------------- | -------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_BUILTIN\_PRIVILEGED\_ROLE | | **Entra ID (Azure AD) Alias** | Built-in Directory Role (Privileged) | | **Affected Object Types** | Users, Groups, Service Principals | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Built-in Directory Roles with elevated permissions | ## Description `AZ_BUILTIN_PRIVILEGED_ROLE` represents **built-in directory roles** in Microsoft Entra ID (Azure AD) that grant significant administrative privileges. These roles are predefined by Microsoft and cannot be modified. Compromise of an account with a privileged built-in role can lead to full tenant takeover. **Tier 0 - Highest Privilege Roles (Full Tenant Control):** | Role | Risk Description | | ------------------------------------------- | ------------------------------------------------- | | **Global Administrator** | Full control over all aspects of the tenant | | **Privileged Role Administrator** | Can assign any role to any principal | | **Privileged Authentication Administrator** | Can reset any user's credentials including admins | **Tier 1 - High Privilege Roles (Significant Access):** | Role | Risk Description | | ----------------------------------- | --------------------------------------------------------- | | **Application Administrator** | Full control over all applications and service principals | | **Cloud Application Administrator** | Manage cloud apps except App Proxy | | **Authentication Administrator** | Can reset non-admin passwords and MFA | | **Helpdesk Administrator** | Can reset non-admin passwords | | **User Administrator** | Full control over non-admin users and groups | | **Groups Administrator** | Full control over groups | | **Exchange Administrator** | Full control over Exchange Online | | **SharePoint Administrator** | Full control over SharePoint Online | | **Intune Administrator** | Full control over Intune/Endpoint Manager | | **Azure DevOps Administrator** | Full control over Azure DevOps | | **Hybrid Identity Administrator** | Can manage Azure AD Connect and federation settings | **Tier 2 - Moderate Privilege Roles (Limited but Impactful):** | Role | Risk Description | | ------------------------------------ | ----------------------------------------------- | | **Security Administrator** | Manage security settings and read security data | | **Conditional Access Administrator** | Manage Conditional Access policies | | **Password Administrator** | Reset passwords for non-admins | | **License Administrator** | Manage license assignments | | **Directory Readers** | Read all directory objects | | **Directory Writers** | Modify directory objects | **Important**: Many of these roles cannot be scoped to Administrative Units and always operate tenant-wide. ## Identification ### PowerShell #### Find All Privileged Built-in Role Assignments ```powershell Connect-MgGraph -Scopes "RoleManagement.Read.Directory" # Define privileged role display names (IsAZPrivileged = true) $privilegedRoleNames = @( "Application Administrator", "Application Developer", "Attribute Provisioning Administrator", "Attribute Provisioning Reader", "Authentication Administrator", "Authentication Extensibility Administrator", "B2C IEF Keyset Administrator", "Cloud Application Administrator", "Cloud Device Administrator", "Conditional Access Administrator", "Directory Writers", "Domain Name Administrator", "External Identity Provider Administrator", "Global Administrator", "Global Reader", "Helpdesk Administrator", "Hybrid Identity Administrator", "Intune Administrator", "Lifecycle Workflows Administrator", "Partner Tier1 Support", "Partner Tier2 Support", "Password Administrator", "Privileged Authentication Administrator", "Privileged Role Administrator", "Security Administrator", "Security Operator", "Security Reader", "User Administrator" ) # Get all directory roles activated in the tenant $allRoles = Get-MgDirectoryRole -All # Filter for privileged roles $privilegedRoles = $allRoles | Where-Object { $_.DisplayName -in $privilegedRoleNames } Write-Host "Found $($privilegedRoles.Count) privileged roles activated in tenant" $results = @() foreach ($role in $privilegedRoles) { $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id -All foreach ($member in $members) { $memberType = $member.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', '' $results += [PSCustomObject]@{ RoleName = $role.DisplayName RoleId = $role.Id MemberName = $member.AdditionalProperties.displayName MemberId = $member.Id MemberType = $memberType UserPrincipalName = $member.AdditionalProperties.userPrincipalName } } } Write-Host "`nFound $($results.Count) privileged role assignments" $results | Export-Csv -Path ".\PrivilegedBuiltinRoleAssignments.csv" -NoTypeInformation -Encoding UTF8 $results | Format-Table RoleName, MemberName, MemberType -AutoSize ``` ## Exploitation An attacker with a privileged built-in role can perform various attacks depending on the role. ### Global Administrator - Full Tenant Takeover For detailed exploitation techniques and attack scenarios, see [AZ\_GLOBAL\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_GLOBAL_ADMIN/README.md). ### Privileged Role Administrator - Role Assignment Abuse For detailed exploitation techniques and attack scenarios, see [AZ\_PRIVILEGED\_ROLE\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_PRIVILEGED_ROLE_ADMIN/README.md). ### Privileged Authentication Administrator - Credential Reset For detailed exploitation techniques and attack scenarios, see [AZ\_PRIVILEGED\_AUTH\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_PRIVILEGED_AUTH_ADMIN/README.md). ### Application Administrator - Application Takeover For detailed exploitation techniques and attack scenarios, see [AZ\_APP\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_APP_ADMIN/README.md). ### Cloud Application Administrator - Cloud App Takeover For detailed exploitation techniques and attack scenarios, see [AZ\_CLOUD\_APP\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_CLOUD_APP_ADMIN/README.md). ### Security Administrator - Security Settings Abuse For detailed exploitation techniques and attack scenarios, see [AZ\_SECURITY\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_SECURITY_ADMIN/README.md). ### Partner Tier2 Support - Delegated Admin Privilege Abuse For detailed exploitation techniques and attack scenarios, see [AZ\_PARTNER\_TIER2\_SUPPORT](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_PARTNER_TIER2_SUPPORT/README.md). ### Password/Helpdesk/Authentication/User Administrator - Password Reset Abuse For detailed exploitation techniques and attack scenarios, see [AZ\_RESET\_PASSWORD](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_RESET_PASSWORD/README.md). ## Mitigation * **Minimize privileged role assignments**: * Regularly review who has privileged roles. * Remove unnecessary assignments. * Use least privilege principles. * **Implement Privileged Identity Management (PIM)**: * Go to **Microsoft Entra ID** -> **Privileged Identity Management**. * Make privileged role assignments eligible instead of permanent. * Require justification and approval for activation. * **Enforce MFA for privileged roles**: * Create Conditional Access policies requiring MFA for admin roles. * Use phishing-resistant MFA methods (FIDO2, Windows Hello). * **Use break-glass accounts for Global Admin**: * Limit permanent Global Administrator assignments. * Maintain emergency access accounts with strong controls. * **Regular access reviews**: * Go to **Identity Governance** -> **Access Reviews**. * Review privileged role assignments quarterly. * **Monitor privileged role assignments**: * Alert on new privileged role assignments. * Alert on changes to existing assignments. ## Detection Detect privileged role abuse in **Audit logs**. * Go to **Microsoft Entra ID** -> **Audit logs**. * Filter by activities: * **Add member to role** * **Add eligible member to role** * **Remove member from role** Monitor for: * New Global Administrator assignments. * Privileged role assignments to service principals. * Role assignments outside of change management windows. * Unusual admin activity patterns. * Password resets by privileged accounts. ## References * [Microsoft Entra Built-in Roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference) * [Privileged Identity Management (PIM)](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure) * [Securing Privileged Access](https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview) * [Best Practices for Azure AD Roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_builtin_privileged_role.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.