This edge is created during post-processing. It is created against all AzureAD admin roles when a Service Principal has the following MS Graph app role assignment:
This privilege allows the Service Principal to promote itself or any other principal to any AzureAD admin role, including Global Administrator.
To abuse this privilege, you can promote a principal you control to Global Administrator using BARK’s New-AzureADRoleAssignment. This function requires you to supply an MS Graph-scoped JWT associated with the Service Principal that has the privilege to grant AzureAD admin roles. There are several ways to acquire a JWT. For example, you may use BARK’s Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT by supplying a Service Principal Client ID and secret:
$MGToken = Get-MSGraphTokenWithClientCredentials `
-ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `
-ClientSecret "asdf..." `
Then use BARK’s New-AzureADRoleAssignment function to grant the AzureAD role to your target principal:
-PrincipalID "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `
-RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" `
If successful, the output will include the principal ID, the role ID, and a unique ID for the role assignment.
When you assign an AzureAD admin role to a principal using this privilege, the Azure Audit log will create an event called “Add member to role outside of PIM (permanent)”.