AZT507 - External Entity Access#
Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
| ID | Name | Description | Action | Resources |
|---|---|---|---|---|
| AZT507.1 | Azure Lighthouse | Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant. | Microsoft.ManagedServices/registrationAssignments/Write | AzureAD |
| AZT507.2 | Microsoft Partners | Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant. | N/A | AzureAD |
| AZT507.3 | Subscription Hijack | An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. | N/A | Azure Subscription |
| AZT507.4 | Domain Trust Modification | An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant. | N/A | AzureAD |