AZT405.1 - Azure AD Application: Application Role#
By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
Resource
Azure Active Directory
Actions
N/A
Since the attacker controls the application, no actions are needed.
Additional Resources
https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions