Entra ID Privilege Escalation to Global Administrator
Eric Woodruff
44CON 2024 · Day 1 · Main
This article delves into a critical security vulnerability discovered in **Entra ID** (formerly Azure Active Directory) that allowed for privilege escalation to **Global Administrator** within a tenant. Presented by Eric Woodruff, a security researcher at Suppress, this talk, titled "Unauthorized," exposes how certain Microsoft-managed service principals, when improperly configured, could be leveraged to gain "Keys of the Kingdom" access, bypassing expected authorization controls. The research highlights a fundamental discrepancy between external OAuth2 scopes and internal Microsoft authorization models, leading to unexpected and highly privileged actions.
AI review
Woodruff found a real, patched, high-severity bug in Entra ID's authorization layer — Application Administrator to Global Admin via credential stuffing on Microsoft-owned service principals — and presents it with enough technical precision to be genuinely educational. The core insight, that internal Microsoft authorization systems silently override the publicly visible OAuth scope model, is the kind of finding that reframes how defenders think about cloud identity trust boundaries.