# AZ\_SECURITY\_ADMIN ## Summary | | | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_SECURITY\_ADMIN | | **Entra ID (Azure AD) Alias** | Security Administrator | | **Affected Object Types** | Tenant security configuration (Microsoft Entra ID security settings, security alerts/incidents, Microsoft Defender portals and integrated security controls depending on licensing) | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Membership in the **Security Administrator** directory role (direct assignment or via a role-assignable group). Related Microsoft Graph permissions can also provide partial security-management capability depending on the API and product integration. | ## Description `AZ_SECURITY_ADMIN` represents the ability for a principal to operate as a **Security Administrator** in Microsoft Entra ID. A Security Administrator can manage security-related configuration and operational security workflows. Depending on tenant configuration and product usage, this role can: * Manage security policies and security settings within Entra and integrated Microsoft security services. * View and manage security alerts and incidents. * Configure and manage security notifications and operational responses. By abusing security administration capability, an attacker can: * Weaken security controls and reduce detection coverage. * Hide or suppress alerts and operational signals. * Change security configuration to enable further privilege escalation or persistence. Therefore, any identity that holds the Security Administrator role can expand access and reduce defenses by modifying security configuration and security operations. ## Identification ### PowerShell (Microsoft Graph) List all members of the **Security Administrator** role. If a group is assigned, expand it to identify effective users. ```powershell Connect-MgGraph -Scopes "RoleManagement.Read.Directory" Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '194ae4cb-b126-40b2-bd5b-6091b380977d'" -ExpandProperty Principal | Select PrincipalId,DirectoryScopeId,@{N='Type';E={$_.Principal.AdditionalProperties.'@odata.type'.Split('.')[-1]}},@{N='Name';E={$_.Principal.AdditionalProperties.displayName}} ``` ### Azure GUI 1. Open **Microsoft Entra admin center** -> **Roles & administrators**. 2. Search and open **Security Administrator**. 3. Open **Assignments** and record: * **Active assignments** * **Eligible assignments** (if PIM is enabled) 4. If a **group** is assigned: * Enumerate its **transitive members** (nested included). 5. Identify whether the role is used for daily operations or only for incident response. ## Exploitation A Security Administrator can reduce detection and weaken defensive controls. This is a high-impact role for security posture. Common abuse patterns include: * Modifying security settings and policies to reduce enforcement. * Reducing alert visibility or changing incident/alert handling workflows. * Using security management access to delay or disable responses during an attack. ## Mitigation * Keep **Security Administrator** assignments minimal. * Use **PIM**: * Prefer **eligible** assignments. * Require MFA and approvals for activation where appropriate. * Separate duties: * Use dedicated security operations accounts. * Do not use the role for normal user accounts. * Require change control for security configuration changes. * Review membership regularly and remove unused access. ## Detection Monitor Entra **Audit logs** for role changes and security configuration activity. * Alert on: * New assignments or activations of **Security Administrator**. * Unusual security configuration changes. * Role changes outside change windows. * Investigate: * **Initiated by (actor)** * **Target resources** * Change correlation (tickets, incident IDs) ## References * [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference?utm_source=chatgpt.com) * * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs?utm_source=chatgpt.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_security_admin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.