AZ_PRIVILEGED_ROLE_ADMIN

Summary

Description

AZ_PRIVILEGED_ROLE_ADMIN represents the ability for a principal to operate as a Privileged Role Administrator in Microsoft Entra ID.

A Privileged Role Administrator can manage directory roles. This includes creating and removing role assignments. In tenants using PIM, it can manage privileged role assignment workflows and role settings.

By using this role, an attacker can:

• Grant themselves (or a controlled identity) a privileged directory role and gain administrative access.

• Assign privileged roles to a service principal or role-assignable group to create persistence.

• Modify role assignment configuration and governance to reduce controls.

Therefore, any identity that holds the Privileged Role Administrator role can quickly escalate privileges by changing who has privileged roles.

Identification

PowerShell (Microsoft Graph)

List all members of the Privileged Role Administrator role. If a group is assigned, expand it to identify effective users.

Azure GUI

Exploitation

A Privileged Role Administrator can change who holds privileged roles. This is a direct privilege-escalation path.

Common abuse patterns include:

• Assigning a privileged role to a controlled user.

• Assigning a privileged role to a controlled service principal or managed identity.

• Assigning a privileged role to a role-assignable group and then adding members to that group.

• Weakening role governance by changing role settings and approval requirements (in PIM-enabled tenants).

Mitigation

• Keep Privileged Role Administrator membership minimal.

• Use PIM:

  • Prefer eligible assignments instead of permanent active assignments.

  • Require MFA and approvals for activation where appropriate.

• Separate duties:

  • Do not combine role-management roles with daily operational accounts.

• Protect role-assignable groups:

  • Strictly control membership and ownership.

  • Monitor all changes to those groups.

• Review privileged role assignments regularly and remove unused access.

Detection

Monitor Entra Audit logs for role management actions.

Alert on:

• New assignments or activations of Privileged Role Administrator.

• Any creation of role assignments for high-privilege roles.

• Role assignment changes performed by service principals.

• Changes to privileged role settings (in PIM environments).

When investigating, collect:

• Initiated by (actor)

• Target resources

• Role name, assignment type (active/eligible), and scope

References

• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/directory-roles-overview

• https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

• https://learn.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/resources/rolemanagement?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities