Custom Roles Permissions is a security indicator in Semperis Directory Services Protector and Semperis Purple Knight Active Directory vulnerability assessment tool
The AAD (Azure AD, now called Entra ID) custom roles with risky permissions security indicator checks if a custom role has permissions that can be abused by an attacker. Permissions for the following custom roles are checked:
- Application creation
- Application deletion
- Update all properties application
- Update application’s credentials
- Update application’s owner
- Update application’s permissions
Even though there are two application creation permissions that grant access to the New registration command, this indicator only checks for the following application creation permission:
- microsoft.directory/applications/create: Allows the authenticated user to create a new application in their Azure Active Directory. This user will not be designated as the first owner of the created app registration.
When both the /createAsOwner and /create permissions are assigned, the /create permission takes precedence. In addition, the /createAsOwner permission does not automatically add the creator as the first owner. You can however use the Graph APIs or PowerShell to specify owners when you create the app registration.
Care should be taken when assigning the /create permission. This is because the creator is not added as the first owner of the created app registration and therefore, is not counted against the creator’s 250 created objects quota. There is nothing preventing the authenticated user from creating an excessive number of app registrations in an effort to exceed the directory-level quota.
This security indicator checks for the following application deletion permissions:
- microsoft.directory/applications/delete: Allows the authenticated user to delete any application in the tenant, regardless of subtype. That is, the user can delete both single-tenant and multi-tenant applications.
- microsoft.directory/applications.myOrganization/delete: Allows the authenticated user to delete application registrations that are assessable only to accounts in your organization or single-tenant applications (myOrganization subtype).
A user with either of these application deletion permissions could disrupt access to resources or cause other problems within the organization. To protect against this type of attack, ensure that only trusted users and applications have permission to create and delete applications in the Azure Active Directory, and to monitor for unauthorized activity.
This indicator checks for the following application properties update permissions:
- microsoft.directory/applications/allProperties/update: Allows the authorized user to update all properties on single-tenant and multi-tenant applications.
- microsoft.directory/applications.myOrganization/allProperties/update: Allows the authorized user to update all properties for single-tenant applications.
A user with either of these application properties update permissions can update all properties in the Azure Active Directory, including all applications’ certificates and secrets; therefore, they can create a new client secret and authenticate as this application.
This indicator checks for the following permissions that grant access to fields on the application registration Certificates & secrets page:
- microsoft.directory/applications/credentials/update: Allows the authorized user to create, update, and delete passwords, certificates, and client secrets associated with single-tenant and multi-tenant applications.
This permission is typically granted to applications that manage or maintain other applications within Azure AD.
- microsoft.directory/applications.myOrganization/credentials/update: Allows the authorized user to create, update, and delete passwords, certificates, and client secrets on single-tenant applications.
Care should be taken when assigning application credentials update permissions, as it can potentially allow applications to make changes to the credentials of other applications, which could have security implications. That is, if an attacker obtains this kind of permission, they can authenticate as the target application.
This security indicator checks the following permissions that grant access to the fields on the application registration Owners page:
- microsoft.directory/applications/owners/update: Allows the authenticated user to update the owner on single-tenant and multi-tenant applications.
- microsoft.directory/applications.myOrganization/owners/update: Allows the authenticated user to update the owner on single-tenant applications.
As an owner of an application, the user has control over the certificates and client secrets that allow them to authenticate as the application.
This security indicator checks for the following permissions that grant access to the filed on the application registration API permissions and Expose an API pages:
A user with application permission update permissions can request API permissions, but without admin consent. If the user is able to coerce an administrator into granting admin consent, they will receive these strong permissions. (In order to be useful to an attacker, this requires prior access to an application’