services / Azure / Static Site user
An application-level authenticated user (auth-provider invitation/role assignment) governing access to authenticated content of an Azure Static Web App.
App-scoped auth principals/roles for a single static site, not tenant directory identities.
Microsoft.Web/staticSites/authproviders/users/write
Updating a Static Site user lets an attacker change the user's assigned roles/claims to elevate application privileges and maintain access via a controlled account.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog