services / Azure / SQL server external policy-based authorization
The external policy-based authorization configuration on an Azure SQL logical server, binding an external authorization provider/policy that governs who is authorized to access the database server.
This is the authorization control-plane configuration governing access to a production database server.
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write
Adding/updating the external policy-based authorization alters the authorization mapping governing database access, enabling an attacker to grant attacker-controlled principals access (privilege escalation) and manipulate the authorization configuration.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security