search

AZ_SECURITY_ADMIN

hashtag
Summary

FSProtect ACL Alias

AZ_SECURITY_ADMIN

Entra ID (Azure AD) Alias

Security Administrator

Affected Object Types

Tenant security configuration (Microsoft Entra ID security settings, security alerts/incidents, Microsoft Defender portals and integrated security controls depending on licensing)

Exploitation Certainty

Certain

Graph Permission / Role

Membership in the Security Administrator directory role (direct assignment or via a role-assignable group). Related Microsoft Graph permissions can also provide partial security-management capability depending on the API and product integration.

hashtag
Description

AZ_SECURITY_ADMIN represents the ability for a principal to operate as a Security Administrator in Microsoft Entra ID.

A Security Administrator can manage security-related configuration and operational security workflows. Depending on tenant configuration and product usage, this role can:

  • Manage security policies and security settings within Entra and integrated Microsoft security services.

  • View and manage security alerts and incidents.

  • Configure and manage security notifications and operational responses.

By abusing security administration capability, an attacker can:

  • Weaken security controls and reduce detection coverage.

  • Hide or suppress alerts and operational signals.

  • Change security configuration to enable further privilege escalation or persistence.

Therefore, any identity that holds the Security Administrator role can expand access and reduce defenses by modifying security configuration and security operations.

hashtag
Identification

hashtag
PowerShell (Microsoft Graph)

List all members of the Security Administrator role. If a group is assigned, expand it to identify effective users.

hashtag
Azure GUI

1

hashtag
Open Roles & administrators

Open Microsoft Entra admin centerRoles & administrators.

2

hashtag
Find Security Administrator

Search and open Security Administrator.

3

hashtag
Review assignments

Open Assignments and record:

  • Active assignments

  • Eligible assignments (if PIM is enabled)

4

hashtag
Expand group assignments

If a group is assigned:

  • Enumerate its transitive members (nested included).

5

hashtag
Assess usage

Identify whether the role is used for daily operations or only for incident response.

hashtag
Exploitation

A Security Administrator can reduce detection and weaken defensive controls. This is a high-impact role for security posture.

Common abuse patterns include:

  • Modifying security settings and policies to reduce enforcement.

  • Reducing alert visibility or changing incident/alert handling workflows.

  • Using security management access to delay or disable responses during an attack.

hashtag
Mitigation

  • Keep Security Administrator assignments minimal.

  • Use PIM:

    • Prefer eligible assignments.

    • Require MFA and approvals for activation where appropriate.

  • Separate duties:

    • Use dedicated security operations accounts.

    • Do not use the role for normal user accounts.

  • Require change control for security configuration changes.

  • Review membership regularly and remove unused access.

hashtag
Detection

Monitor Entra Audit logs for role changes and security configuration activity.

  • Alert on:

    • New assignments or activations of Security Administrator.

    • Unusual security configuration changes.

    • Role changes outside change windows.

  • Investigate:

    • Initiated by (actor)

    • Target resources

    • Change correlation (tickets, incident IDs)

hashtag
References

chevron-rightDocumentation linkshashtag
PreviousAZ_RUNS_ASNextPARENT_TENANT

Last updated

Was this helpful?