Elevating access from Azure AD to Azure subscriptions

PLATFORM

SERVICE

azure-ad

DATA BREACHES

known

LAST UPDATED

September 1, 2023

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

high

About

Azure AD global administrators can grant themselves permissions to Azure subscriptions.

Understanding Impact

Business Impact

Monitoring when a privileged user grants themselves access to an Azure environment is important, as this can lead to unauthorized data access and data loss.

Technical Impact

If an attacker is able to compromise a global administrator account, they can grant themselves full administrative permissions to Azure subscriptions in the tenant, even if they have not been granted any explicit permissions to the subscriptions.

Detection

You can leverage Azure activity logs to identify when a global administrator elevates their access to Azure subscriptions, under the "Directory Activity" tab.

Sample event, shortened for readability:

{
  "operationName": {
    "value": "Microsoft.Authorization/elevateAccess/action",
    "localizedValue": "Assigns the caller to User Access Administrator role"
  },
  "resourceProviderName": {
    "value": "Microsoft.Authorization",
    "localizedValue": "Microsoft.Authorization"
  },
  "resourceId": "/providers/Microsoft.Authorization",
  "tenantId": "<tenant-id>",
  "properties": {
    "eventCategory": "Administrative",
    "entity": "/providers/Microsoft.Authorization",
    "message": "Microsoft.Authorization/elevateAccess/action",
  }
}

References

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction

microsoft.com

Elevate access to manage all Azure subscriptions and management groups

azure documentation