services / Azure / Cross-tenant vault mapping credentials

Recovery Services vault credentials for cross-tenant vault mappings: downloadable credential material that authenticates and registers an agent or identity to a backup vault across tenant trust boundaries.

Vault credentials are usable identity/authentication material; cross-tenant variants enable access into another tenant's recovery vault and its backed-up data.


Microsoft.​RecoveryServices/​Vaults/​backupCrossTenantVaultMappings/​vaultCredentials/​generate/​action

This generate/action produces and returns the cross-tenant vault credential material, exporting usable credentials (exfiltration:crypto) that enable authentication and lateral movement into another tenant's backup vault (escalation:lateral).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​RecoveryServices
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog