Skip to main content
Applies to BloodHound Enterprise and CE

Abuse Info

The Entra user is an approver for the role. If an account which can approve role assignments is compromised, an attacker could approve the assignment or activation of a role and escalate privileges in a tenant. The list of approvers is attached to a role policy and will be the designated principals for any approval requirements on the role.

Opsec Considerations

The attacker may create artifacts of abusing role activation in Entra. For example, role activations are recorded and logged by default in Audit logs for the tenant. Roles can also have specific settings configured which require MFA, justification, ticket information, or approval to activate the role. It is also possible for administrators to configure roles so a notification is sent each time the role is activated or assigned. When a role has an approver for actions, these actions will require a predesignated principal to approve the action prior to becoming effective.

References