MT.1050 - Apps with high-risk permissions having a direct path to Global Admin
Overview
Ensure no Microsoft Entra ID applications or service principals have Graph permissions with a risk of having a direct or indirect path to a Global Admin or a full tenant takeover.
The tested permissions are based on the research published at Microsoft Application permissions tiering by Emilien Socchi.
This test checks if any application has tier-0 graph permissions with a risk of having a direct or indirect path to a Global Admin or a full tenant takeover.
Note:
There are several use cases where Tier-0 permissions with an indirect attack path are required. For example, Maester itself requires the permission 'RoleEligibilitySchedule.ReadWrite.Directory' to properly validate the PIM assignments. Nevertheless, an administrator should question the use of these permissions and check whether less critical permissions are also sufficient. Applications provided by third-party vendors that do have Tier-0 permissions with direct or indirect attack paths should strictly be questioned and monitored.
Following table is a shortened copy from Application permissions - Tier 0: Family of Global Admins, Date: 05.03.2025, Release v2.1.0
| Application permission | Path type | Known shortest path |
|---|---|---|
| AdministrativeUnit.ReadWrite.All | Indirect | When combined with other types of access allowing to reset user passwords, can remove a Global Admin from a Restricted Management Administrative Unit (RMAU) and take it over. |
| Application.ReadWrite.All | Indirect | Can impersonate any SP with more privileged application permissions granted for MS Graph, and impersonate it to escalate to Global Admin. |
| Application.ReadWrite.OwnedBy | Indirect | Same as Application.ReadWrite.All, but the impersonation is limited to the SP(s) for which the compromised SP is an owner. |
| AppRoleAssignment.ReadWrite.All | Indirect | Can assign the RoleManagement.ReadWrite.Directory permission to the compromised SP without requiring admin consent, and escalate to Global Admin. |
| DeviceManagementConfiguration.ReadWrite.All | Indirect | Can run arbitrary commands on the InTune-managed endpoint of a Global Administrator and steal their tokens to impersonate them. |
| DeviceManagementRBAC.ReadWrite.All | Indirect | Can assign InTune roles to a controlled user account, which allows running arbitrary commands on the InTune-managed endpoint of a Global Administrator and steal their tokens to impersonate them. |
| Directory.ReadWrite.All | Indirect | Can become member of a non-role-assignable user group with assigned privileged Azure permissions, and leverage Azure resources to escalate to Global Admin. Note: can also acquire access to external solutions integrated with Entra ID via SSO, and providing access based on non-role-assignable group memberships. |
| Domain.ReadWrite.All | Indirect | Can add a federated domain to Entra ID and authenticate as an existing Global Admin without password or MFA requirements. |
| EntitlementManagement.ReadWrite.All | Indirect | Can update the assignment policy of an access package provisioning access to Global Admin, so that requesting the package without approval is possible from a controlled user account. |
| Group.ReadWrite.All | Indirect | Same as Directory.ReadWrite.All. |
| GroupMember.ReadWrite.All | Indirect | Same as Directory.ReadWrite.All. |
| Organization.ReadWrite.All | Indirect | If Certificate Based Authentication (CBA) is enabled in the tenant, can upload a trusted root certificate to Entra ID and impersonate a Global Admin. |
| Policy.ReadWrite.AuthenticationMethod | Indirect | When combined with UserAuthenticationMethod.ReadWrite.All, can enable the Temporary Access Pass (TAP) authentication method to help leveraging and follow the same path as that permission. |
| Policy.ReadWrite.ConditionalAccess | Direct | Can create a CAP blocking all users (including break-glass accounts) for all applications (making the tenant unavailable), and ask for a ransomware to remove the malicious CAP. Note: this role is "Global-Admin-like", as it affects the availability of the tenant in the same way as a Global Admin. |
| Policy.ReadWrite.PermissionGrant | Indirect | Can create a permission grant policy for the compromised SP with the RoleManagement.ReadWrite.Directory permission, and leverage that policy to follow the same path as that permission and escalate to Global Admin. |
| PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Direct | Same as PrivilegedAccess.ReadWrite.AzureADGroup. |
| PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Indirect | Can make a controlled user account eligible to a group with an active Global Admin assignment, and activate the group membership to escalate to Global Admin. |
| RoleAssignmentSchedule.ReadWrite.Directory | Direct | Can assign the Global Admin role to a controlled user account, by creating an active PIM role assignment. |
| RoleEligibilitySchedule.ReadWrite.Directory | Indirect | Can make a controlled user account eligible to the Global Admin role, and activate it to escalate to Global Admin. |
| RoleManagement.ReadWrite.Directory | Direct | Can assign the Global Admin role to a controlled principal. |
| RoleManagementPolicy.ReadWrite.AzureADGroup | Indirect | Can remove group role assignment and activation constrains, such as MFA requirements or admin approval, to help leveraging PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup or PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup, and follow the same path as those permissions in a tenant with strict PIM settings. |
| RoleManagementPolicy.ReadWrite.Directory | Indirect | Can remove Entra role assignment and activation constrains, such as MFA requirements or admin approval, to help leveraging RoleAssignmentSchedule.ReadWrite.Directory or RoleEligibilitySchedule.ReadWrite.Directory, and follow the same path as those permissions in a tenant with strict PIM settings. |
| User.DeleteRestore.All | Direct | Can delete all user accounts in the tenant (making the latter unavailable), and ask for a ransomware to restore one of the break-glass accounts. Note: this permission is "Global-Admin-like", as it affects the availability of the tenant in the same way as a Global Admin. |
| User.EnableDisableAccount.All | Direct | When combined with User.Read.All, can disable all user accounts in the tenant (making the latter unavailable), and ask for a ransomware to re-enable one of the break-glass accounts. Note: this permission is "Global-Admin-like", as it affects the availability of the tenant in the same way as a Global Admin. |
| User.ReadWrite.All | Indirect | Can edit sensitive properties of a controlled user account, such as "Employee ID" and "Department", to become member of a dynamic group with assigned privileged Azure permissions, and leverage Azure resources to escalate to Global Admin. |
| User-PasswordProfile.ReadWrite.All | Indirect | Same as Directory.ReadWrite.All. |
| UserAuthenticationMethod.ReadWrite.All | Direct | Can generate a Temporary Access Pass (TAP) and take over any user account in the tenant. Note: if TAP is not an enabled authentication method in the tenant, this path needs to be combined with Policy.ReadWrite.AuthenticationMethod to be successful. |
Remediation action:
To check the applications permissions:
- Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
- Click to expand Applications then select App registrations.
- Select All applications.
- Search for the application that you want to check and select the application.
- Select API permissions.
- Check the Microsoft Graph permissions.
- Verify that only authorized users have access to this application and its secrets.
Related links
- Microsoft 365 Admin Center
- Microsft Entra - App registrations
- Application permissions - Tier 0: Family of Global Admins
- Microsoft Learn - Graph permissions
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1050 |
| Severity | High |
| Suite | Maester |
| Category | App |
| PowerShell test | Test-MtHighRiskAppPermissions |
| Tags | App, Entra, Graph, LongRunning, MT.1050, Preview |
Source
- Pester test:
tests/Maester/Entra/Test-MtHighRiskAppPermissions.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtHighRiskAppPermissions.ps1