SpecterOps home page
Search...
⌘K
Ask AI
Support
Contact Us
Contact Us
Search...
Navigation
Edges
AZHasRole
Home
BloodHound
API Reference
Webinars
Community
Query Library
OpenGraph Library
Blog
Get Started with BloodHound
Introduction to BloodHound
Quickstart
Security Boundaries
Install a Data Collector
Overview
Install SharpHound
Install AzureHound
Collect Data
Overview
Collection Permissions
BloodHound Enterprise Collection
Community Edition Collection
OpenGraph
Overview
Best Practices
OpenGraph Schema
OpenGraph Custom Icons
OpenGraph API
OpenGraph Library
OpenGraph Incentive Program
OpenGraph FAQ
Analyze Attack Path Data
Overview
Privilege Zones
Posture Page
BloodHound Configuration
Accept Attack Path Findings
Search With Cypher
Explore -> Search for Objects
Manage BloodHound
Overview
BloodHound Configuration Supplement
BloodHound Enterprise Compliance Framework
Authentication and Authorization
Securing BloodHound and collectors
API & Integrations
Overview
BloodHound API
Integrations
Resources
Resources
Nodes
Edges
About BloodHound Edges
Traversable and Non-Traversable Edge Types
AbuseTGTDelegation
ADCSESC1
ADCSESC10a
ADCSESC10b
ADCSESC13
ADCSESC3
ADCSESC4
ADCSESC6a
ADCSESC6b
ADCSESC9a
ADCSESC9b
AddAllowedToAct
AddKeyCredentialLink
AddMember
AddSelf
AdminTo
AllExtendedRights
AllowedToAct
AllowedToDelegate
AZAddMembers
AZAddOwner
AZAddSecret
AZAKSContributor
AZAppAdmin
AZAutomationContributor
AZAvereContributor
AZCloudAppAdmin
AZContains
AZContributor
AZExecuteCommand
AZGetCertificates
AZGetKeys
AZGetSecrets
AZGlobalAdmin
AZHasRole
AZKeyVaultContributor
AZLogicAppContributor
AZManagedIdentity
AZMemberOf
AZMGAddMember
AZMGAddOwner
AZMGAddSecret
AZMGAppRoleAssignment_ReadWrite_All
AZMGApplication_ReadWrite_All
AZMGDirectory_ReadWrite_All
AZMGGrantAppRoles
AZMGGrantRole
AZMGGroupMember_ReadWrite_All
AZMGGroup_ReadWrite_All
AZMGRoleManagement_ReadWrite_Directory
AZMGServicePrincipalEndpoint_ReadWrite_All
AZNodeResourceGroup
AZOwner
AZOwns
AZPrivilegedAuthAdmin
AZPrivilegedRoleAdmin
AZResetPassword
AZRunsAs
AZScopedTo
AZUserAccessAdministrator
AZVMAdminLogin
AZVMContributor
AZWebsiteContributor
CanApplyGPO
CanPSRemote
CanRDP
CoerceToTGT
Contains
ContainsIdentity
CrossForestTrust
DCFor
DCSync
DelegatedEnrollmentAgent
DumpSMSAPassword
Enroll
EnrollOnBehalfOf
EnterpriseCAFor
ExecuteDCOM
ExtendedByPolicy
ForceChangePassword
GenericAll
GenericWrite
GetChanges
GetChangesAll
GetChangesInFilteredSet
GoldenCert
GPLink
GPOAppliesTo
HasSession
HasSIDHistory
HasTrustKeys
HostsCAService
IssuedSignedBy
LocalToComputer
ManageCA
ManageCertificates
MemberOf
MemberOfLocalGroup
NTAuthStoreFor
OIDGroupLink
Owns
PropagatesACEsTo
PublishedTo
ReadGMSAPassword
ReadLAPSPassword
RemoveInteractiveLogonRight
RootCAFor
SameForestTrust
SpoofSIDHistory
SQLAdmin
SyncLAPSPassword
SyncedToADUser
SyncedToEntraUser
TrustedForNTAuth
WriteAccountRestrictions
WriteDacl
WriteGPLink
WriteOwner
WritePKIEnrollmentFlag
WritePKINameFlag
WriteSPN
Glossary
Community and Support
Release Notes
Legacy BloodHound
On this page
Abuse Info
Opsec Considerations
References
Edges
AZHasRole
This edge indicates that a principal has been granted a particular AzureAD admin role.
Abuse Info
No abuse is necessary. This edge only indicates that the principal has been granted a particular AzureAD admin role.
Opsec Considerations
The opsec considerations for a particular action authorized by a principal“s active AzureAD role assignment will wholly depend on what the action taken is. This edge does not capture all abusable possibilities.
References
https://docs.microsoft.com/en-us/graph/permissions-reference
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
AZGlobalAdmin
AZKeyVaultContributor
Assistant
Responses are generated using AI and may contain mistakes.
