Admin promotion after Role Management Application Permission Grant

Status: available
Severity: high
Time window: 2h
Source: github.com/Azure/Azure-Sentinel

This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1078.004` Valid Accounts: Cloud Accounts, `T1098.003` Account Manipulation: Additional Cloud Roles
Privilege Escalation	`T1078.004` Valid Accounts: Cloud Accounts, `T1098.003` Account Manipulation: Additional Cloud Roles

Event coverage

Provider	Event
Entra-AuditLogs	Add app role assignment to service principal

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Application ID URI Changed (Kusto)
Application Redirect URL Update (Kusto)
Bulk Changes to Privileged Account Permissions (Kusto)
Changes to Application Logout URL (Kusto)
Changes to Application Ownership (Kusto)
Changes to PIM Settings (Kusto)
Detect PIM Alert Disabling activity (Kusto)
full_access_as_app Granted To Application (Kusto)

Rule body kusto

id: f80d951a-eddc-4171-b9d0-d616bb83efdc
name: Admin promotion after Role Management Application Permission Grant
description: |
  'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).
  This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.
  A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.
  Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http'
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - PrivilegeEscalation
  - Persistence
relevantTechniques:
  - T1098.003
  - T1078.004
tags:
  - SimuLand
query: |
  let query_frequency = 1h;
  let query_period = 2h;
  AuditLogs
  | where TimeGenerated > ago(query_period)
  | where Category =~ "ApplicationManagement" and LoggedByService =~ "Core Directory"
  | where OperationName =~ "Add app role assignment to service principal"
  | mv-expand TargetResource = TargetResources
  | mv-expand modifiedProperty = TargetResource["modifiedProperties"]
  | where tostring(modifiedProperty["displayName"]) == "AppRole.Value"
  | extend PermissionGrant = tostring(modifiedProperty["newValue"])
  | where PermissionGrant has "RoleManagement.ReadWrite.Directory"
  | mv-apply modifiedProperty = TargetResource["modifiedProperties"] on (
      summarize modifiedProperties = make_bag(
          bag_pack(tostring(modifiedProperty["displayName"]),
              bag_pack("oldValue", trim(@'[\"\s]+', tostring(modifiedProperty["oldValue"])),
                  "newValue", trim(@'[\"\s]+', tostring(modifiedProperty["newValue"])))), 100)
  )
  | project
      PermissionGrant_TimeGenerated = TimeGenerated,
      PermissionGrant_OperationName = OperationName,
      PermissionGrant_Result = Result,
      PermissionGrant,
      AppDisplayName = tostring(modifiedProperties["ServicePrincipal.DisplayName"]["newValue"]),
      AppServicePrincipalId = tostring(modifiedProperties["ServicePrincipal.ObjectID"]["newValue"]),
      PermissionGrant_InitiatedBy = InitiatedBy,
      PermissionGrant_TargetResources = TargetResources,
      PermissionGrant_AdditionalDetails = AdditionalDetails,
      PermissionGrant_CorrelationId = CorrelationId
  | join kind=inner (
      AuditLogs
      | where TimeGenerated > ago(query_frequency)
      | where Category =~ "RoleManagement" and LoggedByService =~ "Core Directory" and AADOperationType =~ "Assign"
      | where isnotempty(InitiatedBy["app"])
      | mv-expand TargetResource = TargetResources
      | mv-expand modifiedProperty = TargetResource["modifiedProperties"]
      | where tostring(modifiedProperty["displayName"]) in ("Role.DisplayName", "RoleDefinition.DisplayName")
      | extend RoleAssignment = tostring(modifiedProperty["newValue"])
      | where RoleAssignment contains "Admin"
      | project
          RoleAssignment_TimeGenerated = TimeGenerated,
          RoleAssignment_OperationName = OperationName,
          RoleAssignment_Result = Result,
          RoleAssignment,
          TargetType = tostring(TargetResources[0]["type"]),
          Target = iff(isnotempty(TargetResources[0]["displayName"]), tostring(TargetResources[0]["displayName"]), tolower(TargetResources[0]["userPrincipalName"])),
          TargetId = tostring(TargetResources[0]["id"]),
          RoleAssignment_InitiatedBy = InitiatedBy,
          RoleAssignment_TargetResources = TargetResources,
          RoleAssignment_AdditionalDetails = AdditionalDetails,
          RoleAssignment_CorrelationId = CorrelationId,
          AppServicePrincipalId = tostring(InitiatedBy["app"]["servicePrincipalId"])
      ) on AppServicePrincipalId
  | where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated
  | extend
      TargetName = tostring(split(Target, "@")[0]),
      TargetUPNSuffix = tostring(split(Target, "@")[1])
  | project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, 
  RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId
  | extend PermissionGrant_InitiatingUserPrincipalName = tostring(PermissionGrant_InitiatedBy.user.userPrincipalName)
  | extend PermissionGrant_InitiatingAadUserId = tostring(PermissionGrant_InitiatedBy.user.id)
  | extend PermissionGrant_InitiatingIpAddress = tostring(iff(isnotempty(PermissionGrant_InitiatedBy.user.ipAddress), PermissionGrant_InitiatedBy.user.ipAddress, PermissionGrant_InitiatedBy.app.ipAddress))
  | extend PermissionGrant_InitiatingAccountName = tostring(split(PermissionGrant_InitiatingUserPrincipalName, "@")[0]), PermissionGrant_InitiatingAccountUPNSuffix = tostring(split(PermissionGrant_InitiatingUserPrincipalName, "@")[1])
  | extend RoleAssignment_InitiatingUserPrincipalName = tostring(RoleAssignment_InitiatedBy.user.userPrincipalName)
  | extend RoleAssignment_InitiatingAadUserId = tostring(RoleAssignment_InitiatedBy.user.id)
  | extend RoleAssignment_InitiatingIpAddress = tostring(iff(isnotempty(RoleAssignment_InitiatedBy.user.ipAddress), RoleAssignment_InitiatedBy.user.ipAddress, RoleAssignment_InitiatedBy.app.ipAddress))
  | extend RoleAssignment_InitiatingAccountName = tostring(split(RoleAssignment_InitiatingUserPrincipalName, "@")[0]),  RoleAssignment_InitiatingAccountUPNSuffix = tostring(split(RoleAssignment_InitiatingUserPrincipalName, "@")[1])
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AppDisplayName
      - identifier: AadUserId
        columnName: AppServicePrincipalId
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Target
      - identifier: Name
        columnName: TargetName
      - identifier: UPNSuffix
        columnName: TargetUPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: PermissionGrant_InitiatingUserPrincipalName
      - identifier: Name
        columnName: PermissionGrant_InitiatingAccountName
      - identifier: UPNSuffix
        columnName: PermissionGrant_InitiatingAccountUPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: PermissionGrant_InitiatingAadUserId
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: RoleAssignment_InitiatingUserPrincipalName
      - identifier: Name
        columnName: RoleAssignment_InitiatingAccountName
      - identifier: UPNSuffix
        columnName: RoleAssignment_InitiatingAccountUPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: RoleAssignment_InitiatingAadUserId
version: 1.1.0
kind: Scheduled

Stages and Predicates

Parameters

let query_frequency = 1h;
let query_period = 2h;

Stage 1: `source`

AuditLogs

Stage 2: `where`

| where TimeGenerated > ago(query_period)

Stage 3: `where`

| where Category =~ "ApplicationManagement" and LoggedByService =~ "Core Directory"

Stage 4: `where`

| where OperationName =~ "Add app role assignment to service principal"

Stage 5: `mv-expand`

| mv-expand TargetResource = TargetResources

Stage 6: `mv-expand`

| mv-expand modifiedProperty = TargetResource["modifiedProperties"]

Stage 7: `where`

| where tostring(modifiedProperty["displayName"]) == "AppRole.Value"

Stage 8: `extend`

| extend PermissionGrant = tostring(modifiedProperty["newValue"])

Stage 9: `where`

| where PermissionGrant has "RoleManagement.ReadWrite.Directory"

Stage 10: `kusto:mv-apply`

| mv-apply modifiedProperty = TargetResource["modifiedProperties"] on (
    summarize modifiedProperties = make_bag(
        bag_pack(tostring(modifiedProperty["displayName"]),
            bag_pack("oldValue", trim(@'[\"\s]+', tostring(modifiedProperty["oldValue"])),
                "newValue", trim(@'[\"\s]+', tostring(modifiedProperty["newValue"])))), 100)
)

Stage 11: `project`

| project
    PermissionGrant_TimeGenerated = TimeGenerated,
    PermissionGrant_OperationName = OperationName,
    PermissionGrant_Result = Result,
    PermissionGrant,
    AppDisplayName = tostring(modifiedProperties["ServicePrincipal.DisplayName"]["newValue"]),
    AppServicePrincipalId = tostring(modifiedProperties["ServicePrincipal.ObjectID"]["newValue"]),
    PermissionGrant_InitiatedBy = InitiatedBy,
    PermissionGrant_TargetResources = TargetResources,
    PermissionGrant_AdditionalDetails = AdditionalDetails,
    PermissionGrant_CorrelationId = CorrelationId

Stage 12: `join`

| join kind=inner (
    AuditLogs
    | where TimeGenerated > ago(query_frequency)
    | where Category =~ "RoleManagement" and LoggedByService =~ "Core Directory" and AADOperationType =~ "Assign"
    | where isnotempty(InitiatedBy["app"])
    | mv-expand TargetResource = TargetResources
    | mv-expand modifiedProperty = TargetResource["modifiedProperties"]
    | where tostring(modifiedProperty["displayName"]) in ("Role.DisplayName", "RoleDefinition.DisplayName")
    | extend RoleAssignment = tostring(modifiedProperty["newValue"])
    | where RoleAssignment contains "Admin"
    | project
        RoleAssignment_TimeGenerated = TimeGenerated,
        RoleAssignment_OperationName = OperationName,
        RoleAssignment_Result = Result,
        RoleAssignment,
        TargetType = tostring(TargetResources[0]["type"]),
        Target = iff(isnotempty(TargetResources[0]["displayName"]), tostring(TargetResources[0]["displayName"]), tolower(TargetResources[0]["userPrincipalName"])),
        TargetId = tostring(TargetResources[0]["id"]),
        RoleAssignment_InitiatedBy = InitiatedBy,
        RoleAssignment_TargetResources = TargetResources,
        RoleAssignment_AdditionalDetails = AdditionalDetails,
        RoleAssignment_CorrelationId = CorrelationId,
        AppServicePrincipalId = tostring(InitiatedBy["app"]["servicePrincipalId"])
    ) on AppServicePrincipalId

Stage 13: `where`

| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated

Stage 14: `extend`

| extend
    TargetName = tostring(split(Target, "@")[0]),
    TargetUPNSuffix = tostring(split(Target, "@")[1])

Stage 15: `project`

| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, 
RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId

Stage 16: `extend` (8 consecutive steps)

| extend PermissionGrant_InitiatingUserPrincipalName = tostring(PermissionGrant_InitiatedBy.user.userPrincipalName)
| extend PermissionGrant_InitiatingAadUserId = tostring(PermissionGrant_InitiatedBy.user.id)
| extend PermissionGrant_InitiatingIpAddress = tostring(iff(isnotempty(PermissionGrant_InitiatedBy.user.ipAddress), PermissionGrant_InitiatedBy.user.ipAddress, PermissionGrant_InitiatedBy.app.ipAddress))
| extend PermissionGrant_InitiatingAccountName = tostring(split(PermissionGrant_InitiatingUserPrincipalName, "@")[0]), PermissionGrant_InitiatingAccountUPNSuffix = tostring(split(PermissionGrant_InitiatingUserPrincipalName, "@")[1])
| extend RoleAssignment_InitiatingUserPrincipalName = tostring(RoleAssignment_InitiatedBy.user.userPrincipalName)
| extend RoleAssignment_InitiatingAadUserId = tostring(RoleAssignment_InitiatedBy.user.id)
| extend RoleAssignment_InitiatingIpAddress = tostring(iff(isnotempty(RoleAssignment_InitiatedBy.user.ipAddress), RoleAssignment_InitiatedBy.user.ipAddress, RoleAssignment_InitiatedBy.app.ipAddress))
| extend RoleAssignment_InitiatingAccountName = tostring(split(RoleAssignment_InitiatingUserPrincipalName, "@")[0]),  RoleAssignment_InitiatingAccountUPNSuffix = tostring(split(RoleAssignment_InitiatingUserPrincipalName, "@")[1])

Stage 17: `summarize`

summarize

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AADOperationType`	eq	`Assign`
`Category`	eq	`ApplicationManagement` `RoleManagement`
`LoggedByService`	eq	`Core Directory`
`OperationName`	eq	`Add app role assignment to service principal`
`PermissionGrant`	match	`RoleManagement.ReadWrite.Directory` transforms: `term`
`PermissionGrant_TimeGenerated`	lt	`RoleAssignment_TimeGenerated` transforms: `cased`
`RoleAssignment`	contains	`Admin`
`app`	is_not_null	(no value, null check)
`displayName`	eq	`AppRole.Value` transforms: `tostring`, `cased`
`displayName`	in	`Role.DisplayName` transforms: `tostring`, `cased` `RoleDefinition.DisplayName` transforms: `tostring`, `cased`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Admin promotion after Role Management Application Permission Grant

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `mv-expand`

Stage 6: `mv-expand`

Stage 7: `where`

Stage 8: `extend`

Stage 9: `where`

Stage 10: `kusto:mv-apply`

Stage 11: `project`

Stage 12: `join`

Stage 13: `where`

Stage 14: `extend`

Stage 15: `project`

Stage 16: `extend` (8 consecutive steps)

Stage 17: `summarize`

Indicators

Keyboard shortcuts

Search operators

Admin promotion after Role Management Application Permission Grant

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where

Stage 5: mv-expand

Stage 6: mv-expand

Stage 7: where

Stage 8: extend

Stage 9: where

Stage 10: kusto:mv-apply

Stage 11: project

Stage 12: join

Stage 13: where

Stage 14: extend

Stage 15: project

Stage 16: extend (8 consecutive steps)

Stage 17: summarize

Indicators

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `mv-expand`

Stage 6: `mv-expand`

Stage 7: `where`

Stage 8: `extend`

Stage 9: `where`

Stage 10: `kusto:mv-apply`

Stage 11: `project`

Stage 12: `join`

Stage 13: `where`

Stage 14: `extend`

Stage 15: `project`

Stage 16: `extend` (8 consecutive steps)

Stage 17: `summarize`