services / Azure / Tenant access elevation

A tenant-scope administrative action that self-assigns the caller the User Access Administrator role at the root (tenant) scope, granting authority to manage role assignments across every subscription in the tenant.

This is the canonical Azure privilege-escalation primitive; once elevated, the caller can assign any role (including Owner) anywhere in the tenant.


Microsoft.​Authorization/​elevateAccess/​action

Self-elevates to User Access Administrator at tenant root scope, directly escalating privilege and enabling the attacker to subsequently assign roles to themselves or any controlled identity tenant-wide.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Authorization
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog