services / Azure / Cross-tenant vault mapping credentials
Recovery Services vault credentials for cross-tenant vault mappings: downloadable credential material that authenticates and registers an agent or identity to a backup vault across tenant trust boundaries.
Vault credentials are usable identity/authentication material; cross-tenant variants enable access into another tenant's recovery vault and its backed-up data.
Microsoft.RecoveryServices/Vaults/backupCrossTenantVaultMappings/vaultCredentials/generate/action
This generate/action produces and returns the cross-tenant vault credential material, exporting usable credentials (exfiltration:crypto) that enable authentication and lateral movement into another tenant's backup vault (escalation:lateral).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security