# AZ\_CLOUD\_APP\_ADMIN ## Summary | | | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_CLOUD\_APP\_ADMIN | | **Entra ID (Azure AD) Alias** | Cloud Application Administrator | | **Affected Object Types** | App registrations (Applications) & Enterprise applications (Service Principals) | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Membership in the **Cloud Application Administrator** directory role (direct assignment or via a role-assignable group). This role can manage enterprise apps and app registrations. It has the same permissions as **Application Administrator**, except it cannot manage **Application Proxy**. | ## Description `AZ_CLOUD_APP_ADMIN` represents the ability for a principal to operate as a **Cloud Application Administrator** in Microsoft Entra ID. A Cloud Application Administrator can create and manage applications in the tenant. This includes app registrations and enterprise applications. This role can manage application configuration and assignments. By controlling application objects, an attacker can: * Add credentials (client secrets or certificates) to applications and service principals and impersonate them. * Modify application configuration that impacts authentication and access. * Grant consent to permissions (within role limits) and expand what an application can do. * Assign owners or change access paths to establish persistence. Therefore, any identity that holds the Cloud Application Administrator role can escalate privileges by taking control of application identities and their permissions. ## Identification ### PowerShell (Microsoft Graph) List all members of the **Cloud Application Administrator** role. If a group is assigned, expand it to identify effective users. ```powershell Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All" $roleDefinitionId = "158c047a-c907-4556-b7ef-446551a6b5f7" $uri = "/v1.0/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$roleDefinitionId'&`$expand=principal" $r = Invoke-MgGraphRequest -Method GET -Uri $uri $r.value | ForEach-Object { $p = $_.principal [PSCustomObject]@{ PrincipalType = $p.'@odata.type' DisplayName = $p.displayName UserPrincipalName = $p.userPrincipalName AppId = $p.appId ObjectId = $_.principalId DirectoryScopeId = $_.directoryScopeId } } | Format-Table -AutoSize ``` ### Azure CLI (read-only via Microsoft Graph) ```bash # Find the Cloud Application Administrator directory role az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles" --query "value[?displayName=='Cloud Application Administrator']" # List members of the role (replace {role-id}) az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/{role-id}/members" ``` ### Azure GUI 1. Open **Microsoft Entra admin center** -> **Roles & administrators**. 2. Search and open **Cloud Application Administrator**. 3. Open **Assignments** and record: * **Active assignments** * **Eligible assignments** (if PIM is enabled) 4. If a **group** is assigned: * Enumerate its **transitive members** (nested included). 5. Identify which assignments are operationally required and which are legacy or unused. ![Roles UI](/files/ACxkhNI2CZylRvTQ0MbH) ## Exploitation A Cloud Application Administrator can take control of application identities. This can be used to gain persistence and expand access. Common high-impact actions include: * Adding new credentials (client secrets or certificates) to an application or service principal. * Modifying application configuration (reply URLs, certificates, claims, sign-in settings, and access assignments). * Granting consent to permissions (within role limits). * Assigning or changing owners on application objects. Treat Cloud Application Administrator as a privileged role. Do not assign it broadly. ### Add Secret to Application For detailed exploitation techniques on adding secrets to applications and service principals, see [AZ\_ADD\_SECRET](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_SECRET/README.md). ### Add Owner to Application For detailed exploitation techniques on adding owners to applications, see [AZ\_ADD\_OWNER](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_OWNER/README.md). ## Mitigation * Keep **Cloud Application Administrator** assignments minimal. * Use **PIM**: * Prefer **eligible** assignments. * Require MFA and approvals for activation where appropriate. * Prefer **custom roles** with scoped application permissions where possible. * Minimize application owners and restrict who can manage credentials for sensitive apps. * Restrict who can grant admin consent and who can manage enterprise applications. * Review application credentials and permissions regularly for high-value apps. ## Detection Monitor Entra **Audit logs** for role assignment and application management actions. * Role assignment events: * Add member to role * Add eligible member to role (PIM) * Application change events (high risk): * Certificates and secrets management changes * Consent and permission grants * App role assignments added to service principals * Investigate: * **Initiated by (actor)** * **Target resources** * Time window and change ticket linkage Alert on: * New Cloud Application Administrator assignments or activations. * Credential changes on sensitive apps by Cloud Application Administrators. * Consent or permission changes outside approved change windows. ![Audit UI](/files/FgekFu3mf4vAzyE2ExJD) ## References [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles?utm_source=chatgpt.com) [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference?utm_source=chatgpt.com) [https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0\&utm_source=chatgpt.com) [https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0\&utm_source=chatgpt.com) [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com) [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs?utm_source=chatgpt.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_cloud_app_admin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.