Documentation Index
Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
Use this file to discover all available pages before exploring further.
Abuse Info
The Entra user is an approver for the role. If a principal which can approve role assignments is compromised, an attacker could approve the assignment or activation of a role and escalate privileges in a tenant. The list of approvers is attached to a role policy and will be the designated principals for any approval requirements on the role.
Opsec Considerations
The attacker may create artifacts of abusing role activation in Entra. For example, role activations are recorded and logged by default in Audit logs for the tenant. Roles can also have specific settings configured which require MFA, justification, ticket information, or approval to activate the role. It is also possible for administrators to configure roles so a notification is sent each time the role is activated or assigned. When a role has an approver for actions, these actions will require a predesignated principal to approve the action prior to becoming effective.
References
