TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Quarkslab

Auditing Application Permissions in Microsoft Entra ID: Hidden Risks, Pitfalls, and Quarkslab's QAZPT Tool

Sébastien Rolland · 6 days ago · Read original ↗

ATT&CK techniques detected

17 predictions
T1525Implant Internal Image
89%
“in their tenant based on the appregistration. permissions one of the biggest challenges when dealing with azure applications is understanding their permissions model, which not many people actually know about, or that some think they know about but do not really understand. this …”
T1525Implant Internal Image
74%
“00000000 - 0000 - 0000 - 0000 - 000000000008 - - [ federated _ identity ] - - > managedidentityserviceprincipal / test _ managed _ identity _ 1 / 00000000 - 0000 - 0000 - 0000 - 000000000009 - - [ federated _ identity ] - - > appregistration / another _ app / 00000000 - 0000 - 00…”
T1525Implant Internal Image
74%
“through the service principal for both applications and users / groups. below is the assignment of the mycustomscoperole. read. all app role to a user from the service principal : delegated / oauth2 scope permissions these are permissions that applications can be granted on behal…”
T1525Implant Internal Image
67%
“the list of entra id roles and graph application roles treated as privilege escalation paths is not exhaustive, and covers mainly the most commonly seen ones in assessments. conclusion auditing application permissions in microsoft entra id is hard, and most of the difficulty come…”
T1525Implant Internal Image
62%
“it to fully manage a resource with a managed identity attached ( such as a virtual machine or an azure web app ) can indirectly obtain an access token for that managed identity and impersonate it to access any resource or api the associated service principal has permissions for. …”
T1525Implant Internal Image
59%
“so on. the portal, of course, does not surface these chains in a single view. - serviceprincipal of an appregistration. whoever controls an appregistration, through ownership or by obtaining its credentials, effectively controls the corresponding service principal and all the per…”
T1528Steal Application Access Token
55%
“a token for managed identity a can impersonate the application and exercise those permissions. an azure vm with a system - assigned managed identity is a common example. compromising that vm is enough ; no credential to extract, nothing to rotate. the same scenario can occurs wit…”
T1525Implant Internal Image
47%
“a token for managed identity a can impersonate the application and exercise those permissions. an azure vm with a system - assigned managed identity is a common example. compromising that vm is enough ; no credential to extract, nothing to rotate. the same scenario can occurs wit…”
T1525Implant Internal Image
44%
“auditing application permissions in microsoft entra id : hidden risks, pitfalls, and quarkslab ' s qazpt tool introduction if you work in security, development, or cloud architecture, and your organization uses microsoft azure or microsoft 365, there is a high chance you have alr…”
T1525Implant Internal Image
41%
“/ azureadtokenexchange " ], " issuer " : " https : / / login. microsoftonline. com / < tenant _ id > / v2. 0 ", " subject " : " < id _ of _ managed _ identity > " } } ' the credentials matrix as a summary in order to summarize the different types of credentials, their creation me…”
T1525Implant Internal Image
40%
“##irection uri, and settings. it also includes the permissions the application will expose or require. as this part is of course a bit more complicated than that, we will detail it in the next section. even though the appregistration is a template object, credentials for authenti…”
T1098Account Manipulation
39%
“chain, user a effectively controls everything a global administrator can control. - microsoft graph application roles. some microsoft graph application roles are as dangerous as, or more dangerous than, entra id administrative roles, and considerably easier to overlook. rolemanag…”
T1525Implant Internal Image
38%
“each entity, and the most complete view possible of how permissions propagate through a tenant. it covers most of the inheritance paths described above ( ownership, service principal of an appregistration, federated identity credentials, privileged entra id roles, and privileged …”
T1078.004Cloud Accounts
36%
“attack is still current and relevant, something that most people do not know is that the consent prompt does not always concern delegated permissions only. application permissions can also be targeted in this way. if we take our earlier example of the appregistration with the use…”
T1098.001Additional Cloud Credentials
36%
“chain, user a effectively controls everything a global administrator can control. - microsoft graph application roles. some microsoft graph application roles are as dangerous as, or more dangerous than, entra id administrative roles, and considerably easier to overlook. rolemanag…”
T1525Implant Internal Image
31%
“effectively reachable through inheritance is where most of the practical risk lives, and it is also where existing tooling tends to stop short. this post is structured in three parts : azure applications : definition, permissions, and hidden complexities is a deep dive into how a…”
T1525Implant Internal Image
31%
“a screenshot of an appregistration configured and allowed to request the delegated permission email from the application microsoft graph for users that will use it : unlike application permissions, which are granted to the service principal once admin consent is given, delegated …”

Summary

This blog post explores Entra ID applications, the complexities of auditing application permissions in Microsoft Entra ID, highlighting hidden risks and pitfalls. It introduces Quarkslab's QAZPT tool, designed to compute and visualize effective permissions in an Entra ID tenant, providing insights into the full picture of permissions and inheritance paths.