services / Azure / Subscription tenant change acceptance
An action that accepts a pending tenant/directory change for an Azure subscription, moving it into the target tenant.
Subscription-wide control affecting all contained resources and identities; tenant-scope sensitivity.
Microsoft.Subscription/subscriptions/acceptChangeTenant/action
Accepting a tenant change moves the subscription into an attacker-controlled directory (escalation:privilege) granting control over all its resources/identities (escalation:lateral), while severing the original tenant's RBAC so legitimate principals lose access (impact:access).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security