AZT106.2 - Gather Role Information: Gather Application Role Assignments

An adversary may gather information about an application role & it's member assignments within Azure Active Directory.

Resource

Azure Active Directory

Actions

• microsoft.directory/roleAssignments/standard/read
• microsoft.directory/directoryRoles/standard/read
• microsoft.directory/directoryRoles/eligibleMembers/read
• microsoft.directory/directoryRoles/members/read
• microsoft.directory/users/appRoleAssignments/read
• microsoft.directory/servicePrincipals/appRoleAssignments/read
• microsoft.directory/servicePrincipals/appRoleAssignedTo/read
• microsoft.directory/applications/owners/read

Examples

Az PowerShellAzure CLIMicrosoft Graph REST APIAzure Portal

Get-AzADAppPermission

az ad app permission list

• GET https://graph.microsoft.com/v1.0/users/{id}/appRoleAssignments
• GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments
• GET https://graph.microsoft.com/v1.0/groups/{id}/appRoleAssignments

Detections

N/A

Additional Resources

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles