AZ_PRIVILEGED_AUTH_ADMIN
Summary
FSProtect ACL Alias
AZ_PRIVILEGED_AUTH_ADMIN
Entra ID (Azure AD) Alias
Privileged Authentication Administrator
Affected Object Types
Users and their authentication methods (MFA methods, password reset / re-register flags, Temporary Access Pass)
Exploitation Certainty
Certain
Graph Permission / Role
Membership in the Privileged Authentication Administrator directory role (direct assignment or via a role-assignable group). Similar capability can also be obtained through Microsoft Graph permissions that allow managing user authentication methods (for example UserAuthenticationMethod.ReadWrite.All)
Description
AZ_PRIVILEGED_AUTH_ADMIN represents the ability for a principal to operate as a Privileged Authentication Administrator in Microsoft Entra ID.
This role can manage authentication methods for users. It can view, set, and reset authentication method information. It is commonly used for MFA recovery and onboarding scenarios.
By using this role against a target user, an attacker can:
Reset or remove authentication methods and force re-registration for MFA.
Create a Temporary Access Pass (TAP) to bootstrap new authentication methods.
Take over accounts by weakening or re-binding authentication factors, including privileged accounts.
Therefore, any identity that holds the Privileged Authentication Administrator role can quickly escalate privileges by taking control of authentication methods for sensitive users.
Identification
PowerShell (Microsoft Graph)
List all members of the Privileged Authentication Administrator role. If a group is assigned, expand it to identify effective users.
Azure GUI
Exploitation
A Privileged Authentication Administrator can take control of a user’s authentication methods. This is a high-impact account takeover path.
Typical abuse patterns include:
Forcing the user to re-register for MFA and removing existing authentication methods.
Creating a Temporary Access Pass (TAP) for the user and using it to enroll new factors.
Targeting privileged users to gain administrative access.
Any identity with this role can effectively enable account takeover by manipulating authentication methods for target users.
Mitigation
Keep Privileged Authentication Administrator assignments minimal.
Use PIM:
Prefer eligible assignments instead of permanent active assignments.
Require MFA and approvals for activation where appropriate.
Apply strong protections to privileged users:
Phishing-resistant MFA for admins.
Conditional Access policies for administrative roles.
Restrict who can manage authentication methods:
Use least-privilege roles (Authentication Administrator vs Privileged Authentication Administrator) where possible.
Monitor and review role membership regularly and remove unused assignments.
Detection
Monitor Entra Audit logs for authentication method actions and role activity.
Alert on:
Authentication methods removed or reset for privileged users.
Temporary Access Pass created for privileged users.
“Re-register MFA” and similar recovery actions triggered unexpectedly.
New assignments or activations of Privileged Authentication Administrator (especially via PIM).
Investigate:
Initiated by (actor)
Target user
Source IP / device context if available
Change ticket correlation (if applicable)
References
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/privileged-roles-permissions
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userdevicesettings
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
https://learn.microsoft.com/en-us/graph/authenticationmethods-get-started
https://learn.microsoft.com/en-us/graph/api/authentication-list-methods?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/authentication-post-temporaryaccesspassmethods?view=graph-rest-1.0
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
Last updated
Was this helpful?