This edge is created during post-processing. It is created against all App Registrations and Service Principals within the same tenant when an Azure principal has one of the following Entra ID roles:
- Hybrid Identity Administrator
- Partner Tier1 Support
- Partner Tier2 Support
- Directory Synchronization Accounts
You will not see these privileges when auditing permissions against any of the mentioned objects when you use Microsoft tooling, including the Azure portal or any API.
Abuse Info
You can use BARK to add a new owner to the target object. The BARK function you use will depend on the target object type, but all of the functions follow a similar syntax.
These functions require you to supply an MS Graph-scoped JWT associated with the principal that has the privilege to add a new owner to your target object. There are several ways to acquire a JWT. For example, you may use BARK’s Get-GraphTokenWithRefreshToken to acquire an MS Graph-scoped JWT by supplying a refresh token:
$MGToken = Get-GraphTokenWithRefreshToken `
-RefreshToken "0.ARwA6WgJJ9X2qk..." `
-TenantID "contoso.onmicrosoft.com"
To add a new owner to a Service Principal, use BARK’s New-ServicePrincipalOwner function:
New-ServicePrincipalOwner `
-ServicePrincipalObjectId "082cf9b3-24e2-427b-bcde-88ffdccb5fad" `
-NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `
-Token $Token
To add a new owner to an App Registration, use BARK’s New-AppOwner function:
New-AppOwner `
-AppObjectId "52114a0d-fa5b-4ee5-9a29-2ba048d46eee" `
-NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `
-Token $Token
Opsec Considerations
Any time you add an owner to any Azure object, the AzureAD audit logs will create an event logging who added an owner to what object, as well as what the new owner added to the object was.
References
- https://attack.mitre.org/techniques/T1098/
- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
- https://github.com/BloodHoundAD/BARK
Updated