AZT405.1 - Azure AD Application: Application Role#

By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.

Resource

Azure Active Directory

Actions

N/A

Since the attacker controls the application, no actions are needed.

Examples

Azure REST APIAzure Portal

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000002-0000-0000-c000-000000000000'

approle

Detections

Logs#

Data Source	Operation Name	Action	Log Location
N/A	N/A	N/A	N/A

Additional Resources

https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions