AZ_CUSTOM_PRIVILEGED_ROLE

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Custom Directory Role (Privileged)

Affected Object Types

Users, Groups, Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Custom Role with elevated permissions

Description

AZ_CUSTOM_PRIVILEGED_ROLE represents a custom directory role in Microsoft Entra ID (Azure AD) that has been configured with privileged permissions. Unlike built-in roles, custom roles are created by administrators to meet specific organizational needs, but they may inadvertently include dangerous permission combinations.

Why Custom Roles Can Be Dangerous:

Permission sprawl: Custom roles may accumulate permissions over time without proper review.
Unintended privilege: Administrators may not fully understand the implications of certain permissions.
Bypass detection: Security tools may not flag custom roles as privileged.
Audit gaps: Custom roles may not be included in standard privilege reviews.

Privileged Permissions to Watch For:

Permission

Risk

microsoft.directory/users/password/update

Reset any user's password

microsoft.directory/groups/members/update

Modify group memberships

microsoft.directory/applications/credentials/update

Add credentials to apps

microsoft.directory/servicePrincipals/credentials/update

Add credentials to SPs

microsoft.directory/roleAssignments/allProperties/allTasks

Manage role assignments

microsoft.directory/users/allProperties/allTasks

Full control over users

microsoft.directory/groups/allProperties/allTasks

Full control over groups

Important: Custom roles can be scoped to Administrative Units, but dangerous permissions remain dangerous regardless of scope.

Identification

Find All Custom Roles

Find-All-Custom-Roles.ps1

Connect-AzAccount

# Get all role definitions
$uri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"
$allRoles = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allRoles += $data.value
    $uri = $data.'@odata.nextLink'
}

# Filter for custom roles (isBuiltIn = false)
$customRoles = $allRoles | Where-Object { $_.isBuiltIn -eq $false }

Write-Host "Found $($customRoles.Count) custom roles"

$results = @()
foreach ($role in $customRoles) {
    $results += [PSCustomObject]@{
        RoleName         = $role.displayName
        RoleId           = $role.id
        Description      = $role.description
        IsEnabled        = $role.isEnabled
        PermissionCount  = $role.rolePermissions.allowedResourceActions.Count
    }
}

$results | Export-Csv -Path ".\CustomRoles.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Identify Custom Roles with Privileged Permissions

Identify-Privileged-Custom-Roles.ps1

# Define privileged permission patterns
$privilegedPatterns = @(
    "password/update",
    "credentials/update",
    "members/update",
    "allProperties/allTasks",
    "roleAssignments",
    "owners/update",
    "appRoleAssignments"
)

$privilegedCustomRoles = @()

foreach ($role in $customRoles) {
    $permissions = $role.rolePermissions.allowedResourceActions
    $dangerousPerms = @()
    
    foreach ($perm in $permissions) {
        foreach ($pattern in $privilegedPatterns) {
            if ($perm -match $pattern) {
                $dangerousPerms += $perm
            }
        }
    }
    
    if ($dangerousPerms.Count -gt 0) {
        $privilegedCustomRoles += [PSCustomObject]@{
            RoleName            = $role.displayName
            RoleId              = $role.id
            DangerousPermCount  = $dangerousPerms.Count
            DangerousPerms      = ($dangerousPerms | Select-Object -Unique) -join "; "
            AllPermissions      = $permissions -join "; "
        }
    }
}

Write-Host "`nFound $($privilegedCustomRoles.Count) custom roles with privileged permissions"
$privilegedCustomRoles | Format-Table RoleName, DangerousPermCount, DangerousPerms -Wrap

Find Members of Privileged Custom Roles

Find-Members-Privileged-Custom-Roles.ps1

# Get role assignments for privileged custom roles
$roleAssignments = @()

foreach ($role in $privilegedCustomRoles) {
    $assignUri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$($role.RoleId)'"
    $assignResponse = Invoke-AzRestMethod -Uri $assignUri -Method GET
    $assignments = ($assignResponse.Content | ConvertFrom-Json).value
    
    foreach ($assignment in $assignments) {
        # Get principal details
        $principalUri = "https://graph.microsoft.com/v1.0/directoryObjects/$($assignment.principalId)"
        $principalResponse = Invoke-AzRestMethod -Uri $principalUri -Method GET
        $principal = $principalResponse.Content | ConvertFrom-Json
        
        $principalType = if ($principal.'@odata.type') { ($principal.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
        
        $roleAssignments += [PSCustomObject]@{
            RoleName         = $role.RoleName
            RoleId           = $role.RoleId
            PrincipalName    = $principal.displayName
            PrincipalId      = $assignment.principalId
            PrincipalType    = $principalType
            Scope            = $assignment.directoryScopeId
        }
    }
}

Write-Host "`nPrivileged custom role assignments:"
$roleAssignments | Export-Csv -Path ".\PrivilegedCustomRoleAssignments.csv" -NoTypeInformation -Encoding UTF8
$roleAssignments | Format-Table -AutoSize

Exploitation

An attacker with a privileged custom role can abuse the granted permissions based on what the role includes. The exploitation technique depends on which privileged permissions are assigned to the custom role.

Abuse Password Reset Permission If the custom role has microsoft.directory/users/password/update, the attacker can reset any in-scope user's password. For detailed techniques, see AZ_RESET_PASSWORD.
Abuse Group Membership Permission If the custom role has microsoft.directory/groups/members/update, the attacker can add themselves or other principals to privileged groups. For detailed techniques, see AZ_MG_ADD_MEMBER.
Abuse Application Credentials Permission If the custom role has microsoft.directory/applications/credentials/update, the attacker can add credentials to applications and authenticate as the associated service principal. For detailed techniques, see AZ_ADD_SECRET.
Abuse Service Principal Credentials Permission If the custom role has microsoft.directory/servicePrincipals/credentials/update, the attacker can add credentials directly to service principals. For detailed techniques, see AZ_ADD_SECRET.
Abuse Role Assignment Permission If the custom role has microsoft.directory/roleAssignments/allProperties/allTasks, the attacker can assign any directory role to themselves or others, including Global Administrator. For detailed techniques, see AZ_MG_GRANT_ROLE.

Mitigation

Audit all custom roles and their permissions:
- Go to Microsoft Entra ID -> Roles and administrators -> Custom roles.
- Review each custom role's permissions.
Apply least privilege: Remove unnecessary privileged permissions from custom roles.
- Avoid allProperties/allTasks permissions.
- Use specific actions instead of broad permissions.
Regular access reviews for custom role assignments:
- Go to Identity Governance -> Access Reviews.
- Review users and service principals with custom role assignments.
Document custom roles: Maintain documentation of why each custom role exists and what permissions it requires.
Use built-in roles when possible: Prefer built-in roles over custom roles to benefit from Microsoft's security guidance.
Monitor custom role changes: Alert on modifications to custom role definitions.

Detection

Detect custom role abuse in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add custom role definition
- Update custom role definition
- Add role assignment
- Activities matching the permissions in your custom roles

Monitor for:

New custom role creation with privileged permissions.
Permission additions to existing custom roles.
Role assignments to custom roles with privileged permissions.
Actions performed by users with privileged custom roles.

References

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-create
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/overview

PreviousAZ_CLOUD_APP_ADMIN NextAZ_GLOBAL_ADMIN

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagFind All Custom Roles

hashtagIdentify Custom Roles with Privileged Permissions

hashtagFind Members of Privileged Custom Roles

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagReferences