> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AZRoleEligible

> The principal is eligible for assignment to the Entra ID role via Privileged Identity Management (PIM). When the role is active the principal will also have an [AZHasRole](/resources/edges/az-has-role) edge to the role.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

The Entra user or group is eligible for a role assignment. If the user is compromised, an attacker could activate the role, or use a current activation to escalate privileges in the tenant.

## Opsec Considerations

The attacker may create artifacts of abusing role activation in Entra. For example, role activations are recorded and logged by default in Audit logs for the tenant. Roles can also have specific settings configured which require MFA, justification, ticket information, or approval to activate the role. It is also possible for administrators to configure roles so a notification is sent each time the role is activated or assigned.

## References

* [BloodHound v8: Usability, Extensibility, and OpenGraph](https://specterops.io/blog/2025/07/29/bloodhound-v8-usability-extensibility-and-opengraph/)
* [https://learn.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-instances/get?view=rest-authorization-2020-10-01\&tabs=HTTP](https://learn.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-instances/get?view=rest-authorization-2020-10-01\&tabs=HTTP)
* [https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0\&tabs=http](https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0\&tabs=http)
* [https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicies?view=graph-rest-1.0\&tabs=http](https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicies?view=graph-rest-1.0\&tabs=http)
* [https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicyassignments?view=graph-rest-1.0\&tabs=http](https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicyassignments?view=graph-rest-1.0\&tabs=http)
* [https://learn.microsoft.com/en-us/graph/api/unifiedrolemanagementpolicyassignment-get?view=graph-rest-1.0\&tabs=http](https://learn.microsoft.com/en-us/graph/api/unifiedrolemanagementpolicyassignment-get?view=graph-rest-1.0\&tabs=http)
* [https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-apis](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-apis)