Abuse Info
The Entra user or group is eligible for a role assignment. If the user is compromised, an attacker could activate the role, or use a current activation to escalate privileges in the tenant.Opsec Considerations
The attacker may create artifacts of abusing role activation in Entra. For example, role activations are recorded and logged by default in Audit logs for the tenant. Roles can also have specific settings configured which require MFA, justification, ticket information, or approval to activate the role. It is also possible for administrators to configure roles so a notification is sent each time the role is activated or assigned.References
- https://learn.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-instances/get?view=rest-authorization-2020-10-01&tabs=HTTP
- https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
- https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicies?view=graph-rest-1.0&tabs=http
- https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicyassignments?view=graph-rest-1.0&tabs=http
- https://learn.microsoft.com/en-us/graph/api/unifiedrolemanagementpolicyassignment-get?view=graph-rest-1.0&tabs=http
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-apis