services / Azure / Azure SQL server Azure AD administrator

The Azure Active Directory administrator binding for an Azure SQL logical server, designating the identity that holds full administrative control over the server and all its databases.

This is an access-control assignment pointing at a highly privileged identity; controlling it grants full server/database admin authority.


Microsoft.​Sql/​servers/​administrators/​write

Adds/updates the Azure AD administrator, letting an attacker designate a controlled identity as full server admin, granting privileged data/control access (escalation) and access via another identity (lateral movement).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Sql
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog