diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml new file mode 100644 index 0000000000..afe0f18efd --- /dev/null +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -0,0 +1,65 @@ +name: O365 Application Available To Other Tenants +id: 942548a3-0273-47a4-8dbd-e5202437395c +version: 1 +date: '2024-04-11' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source. +data_source: +- Office 365 Universal Audit Log +search: > + `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add application.","Update application.") ModifiedProperties{}.Name=AvailableToOtherTenants + | eval result = case(match(mvindex('ModifiedProperties{}.NewValue',mvfind('ModifiedProperties{}.Name',"AvailableToOtherTenants")),"false"),"removed",true(),"added"), object_name=mvindex('Target{}.ID', 3), signature=Operation, object_attrs = "AvailableToOtherTenants", user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) + | search result = "added" + | stats values(ActorIpAddress) as src, count, min(_time) as firstTime, max(_time) as lastTime by signature, user, object, object_name, object_attrs, result + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_application_available_to_other_tenants_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Business approved changes by known administrators. +references: +- https://attack.mitre.org/techniques/T1098/ +- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ +- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration +tags: + analytic_story: + - Azure Active Directory Persistence + - Azure Active Directory Account Takeover + - Data Exfiltration + asset_type: O365 Tenant + confidence: 100 + impact: 50 + message: An Azure Application [$object_name$] was configured by [$user$] as accessible to external tenants. + mitre_attack_id: + - T1098.003 + - T1098 + observable: + - name: user + type: User + role: + - Victim + - name: object_name + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.Name + - UserId + - Workload + - Target{}.ID + risk_score: 50 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml new file mode 100644 index 0000000000..6f6cb2f0e1 --- /dev/null +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -0,0 +1,62 @@ +name: O365 Cross-Tenant Access Change +id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f +version: 1 +date: '2024-04-11' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration. +data_source: +- Office 365 Universal Audit Log +search: > + `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add a partner to cross-tenant access setting.","Delete partner specific cross-tenant access setting.") + | eval user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) + | stats values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) as firstTime, max(_time) as lastTime by Id,user,Operation + | rename Operation as signature, Id as signature_id + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_cross_tenant_access_change_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Business approved changes by known administrators. +references: +- https://attack.mitre.org/techniques/T1484/002/ +- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html +- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ +- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ +tags: + analytic_story: + - Azure Active Directory Persistence + asset_type: O365 Tenant + confidence: 75 + impact: 75 + message: The user [$user$] changed the Azure cross-tenant access settings for $object_name$ $object_attrs$ [$signature$] + mitre_attack_id: + - T1484.002 + observable: + - name: user + type: User + role: + - Victim + - name: object_attrs + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.Name + - UserId + - Workload + risk_score: 75 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml new file mode 100644 index 0000000000..a00581e3d9 --- /dev/null +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -0,0 +1,64 @@ +name: O365 External Guest User Invited +id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa +version: 1 +date: '2024-04-11' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source. +data_source: +- Office 365 Universal Audit Log +search: > + `o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]" + | eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) + | rex field=user "(?[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})" + | stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user + | rename Operation as signature, Id as signature_id + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_external_guest_user_invited_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Administrator may legitimately invite external guest users. Filter as needed. +references: +- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf +- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 +- https://attack.mitre.org/techniques/T1136/003/ +- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal +tags: + analytic_story: + - Azure Active Directory Persistence + asset_type: O365 Tenant + confidence: 50 + impact: 50 + message: Azure Guest User $user$ invited by $src_user$ + mitre_attack_id: + - T1136.003 + observable: + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.Name + - UserId + - Id + - Workload + risk_score: 25 + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml new file mode 100644 index 0000000000..a9dbb3c6f0 --- /dev/null +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -0,0 +1,64 @@ +name: O365 External Identity Policy Changed +id: 29af1725-7a72-4d2d-8a18-e697e79a62d3 +version: 1 +date: '2024-04-11' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when changes are made to the external guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. This detection also attempts to highlight what may have changed. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. +data_source: +- Office 365 Universal Audit Log +search: > + `o365_management_activity` Workload=AzureActiveDirectory Operation="Update policy." Target{}.ID="B2BManagementPolicy" + | eval object_attrs = mvindex('ModifiedProperties{}.NewValue',0), object_attrs_old = mvindex('ModifiedProperties{}.OldValue',0), object_name = mvindex('Target{}.ID',3), signature=Operation, user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) + | spath input=object_attrs_old output=B2BOld path={} + | spath input=B2BOld + | rename B2BManagementPolicy.* as B2BManagementPolicyOld.* + | spath input=object_attrs output=B2BNew path={} + | spath input=B2BNew + | eval object_attrs = 'B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}' , object_attrs_old = 'B2BManagementPolicyOld.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}' + | eval diff_add=mvmap(object_attrs,if(isnull(mvfind(object_attrs_old,object_attrs)),object_attrs,null)) + | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs,object_attrs_old)),object_attrs_old,null)) + | eval result = case(isnotnull(diff_add),"Added ".mvjoin(diff_add,","),isnotnull(diff_remove),"Removed ".mvjoin(diff_remove,",")), action = case(isnotnull(diff_add),"created",isnotnull(diff_remove),"deleted") + | stats values(object_attrs) as object_attrs, values(action) as action, values(result) as result, values(B2BManagementPolicy*) as B2BManagementPolicy*, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,object_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_external_identity_policy_changed_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Business approved changes by known administrators. +references: +- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 +- https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview +tags: + analytic_story: + - Azure Active Directory Persistence + asset_type: O365 Tenant + confidence: 100 + impact: 75 + message: User $user$ changed the external identity [$object_name$] policy - $result$ + mitre_attack_id: + - T1136.003 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.Name + - UserId + - Workload + risk_score: 75 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml new file mode 100644 index 0000000000..f5f626d370 --- /dev/null +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -0,0 +1,64 @@ +name: O365 Privileged Role Assigned +id: db435700-4ddc-4c23-892e-49e7525d7d39 +version: 1 +date: '2024-04-11' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source. +data_source: +- Office 365 Universal Audit Log +search: > + `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") + | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) + | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature + | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole + | search isprvilegedadrole="TRUE" category="User" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_privileged_role_assigned_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Administrators will legitimately assign the privileged roles users as part of administrative tasks. Microsoft Privileged Identity Management (PIM) may cause false positives / less accurate alerting. +references: +- https://attack.mitre.org/techniques/T1098/003/ +- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference +- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide +tags: + analytic_story: + - Azure Active Directory Persistence + asset_type: O365 Tenant + confidence: 100 + impact: 75 + message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$ + mitre_attack_id: + - T1098 + - T1098.003 + observable: + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.Name + - UserId + - ObjectId + - Workload + risk_score: 75 + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml new file mode 100644 index 0000000000..ebbe154331 --- /dev/null +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -0,0 +1,65 @@ +name: O365 Privileged Role Assigned To Service Principal +id: 80f3fc1b-705f-4080-bf08-f61bf013b900 +version: 1 +date: '2024-04-11' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source. +data_source: +- Office 365 Universal Audit Log +search: > + `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") + | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) + | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature + | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole + | search isprvilegedadrole="TRUE" category!="User" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_privileged_role_assigned_to_service_principal_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1098/003/ +- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference +- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide +- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 +tags: + analytic_story: + - Azure Active Directory Privilege Escalation + asset_type: O365 Tenant + confidence: 100 + impact: 75 + message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$ + mitre_attack_id: + - T1098 + - T1098.003 + observable: + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.Name + - UserId + - ObjectId + - Workload + risk_score: 75 + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/lookups/privileged_azure_ad_roles.yml b/lookups/privileged_azure_ad_roles.yml index 8f2890415a..c7d76d7a9e 100644 --- a/lookups/privileged_azure_ad_roles.yml +++ b/lookups/privileged_azure_ad_roles.yml @@ -1,7 +1,7 @@ -description: A list of privileged Azure Active Directory roles. -filename: privileged_azure_ad_roles20240729.csv -name: privileged_azure_ad_roles -default_match: 'false' -match_type: WILDCARD(azureadrole) -min_matches: 1 -case_sensitive_match: 'false' +description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs. +filename: privileged_azure_ad_roles20240807.csv +name: privileged_azure_ad_roles +default_match: 'false' +match_type: WILDCARD(azureadrole),WILDCARD(azuretemplateid) +min_matches: 1 +case_sensitive_match: 'false' diff --git a/lookups/privileged_azure_ad_roles20240729.csv b/lookups/privileged_azure_ad_roles20240729.csv deleted file mode 100644 index b3c897e0e7..0000000000 --- a/lookups/privileged_azure_ad_roles20240729.csv +++ /dev/null @@ -1,28 +0,0 @@ -"azureadrole","isprvilegedadrole","description" -"""Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps." -"""Application Developer""","True","Can create application registrations independent of the 'Users can register applications' setting." -"""Authentication Administrator""","True","Can access to view, set and reset authentication method information for any non-admin user." -"""Authentication Extensibility Administrator""","True","Customize sign in and sign up experiences for users by creating and managing custom authentication extensions." -"""B2C IEF Keyset Administrator""","True","Can manage secrets for federation and encryption in the Identity Experience Framework (IEF)." -"""Cloud Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps except App Proxy." -"""Cloud Device Administrator""","True","Limited access to manage devices in Microsoft Entra ID." -"""Conditional Access Administrator""","True","Can manage Conditional Access capabilities." -"""Directory Synchronization Accounts""","True","Only used by Microsoft Entra Connect and Microsoft Entra Cloud Sync services." -"""Directory Writers""","True","Can read and write basic directory information. For granting access to applications, not intended for users." -"""Domain Name Administrator""","True","Can manage domain names in cloud and on-premises." -"""External Identity Provider Administrator""","True","Can configure identity providers for use in direct federation." -"""Global Administrator""","True","Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities." -"""Global Reader""","True","Can read everything that a Global Administrator can, but not update anything." -"""Helpdesk Administrator""","True","Can reset passwords for non-administrators and Helpdesk Administrators." -"""Hybrid Identity Administrator""","True","Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health." -"""Intune Administrator""","True","Can manage all aspects of the Intune product." -"""Lifecycle Workflows Administrator""","True","Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID." -"""Partner Tier1 Support""","True","Do not use - not intended for general use." -"""Partner Tier2 Support""","True","Do not use - not intended for general use." -"""Password Administrator""","True","Can reset passwords for non-administrators and Password Administrators." -"""Privileged Authentication Administrator""","True","Can access to view, set and reset authentication method information for any user (admin or non-admin)." -"""Privileged Role Administrator""","True","Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management." -"""Security Administrator""","True","Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365." -"""Security Operator""","True","Creates and manages security events." -"""Security Reader""","True","Can read security information and reports in Microsoft Entra ID and Office 365." -"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins." \ No newline at end of file diff --git a/lookups/privileged_azure_ad_roles20240807.csv b/lookups/privileged_azure_ad_roles20240807.csv new file mode 100644 index 0000000000..64987f909e --- /dev/null +++ b/lookups/privileged_azure_ad_roles20240807.csv @@ -0,0 +1,39 @@ +azureadrole,azuretemplateid,isprvilegedadrole,description +*Application Administrator*,*9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3*,TRUE,"Can create and manage all aspects of app registrations and enterprise apps." +*Application Developer*,*cf1c38e5-3621-4004-a7cb-879624dced7c*,TRUE,"Can create application registrations independent of the Users can register applications setting." +*Authentication Administrator*,*c4e39bd9-1100-46d3-8c65-fb160da0071f*,TRUE,"Can access to view, set and reset authentication method information for any non-admin user." +*Authentication Extensibility Administrator*,*25a516ed-2fa0-40ea-a2d0-12923a21473a*,TRUE,"Customize sign in and sign up experiences for users by creating and managing custom authentication extensions." +*Authentication Policy Administrator*,*526716b-113d-4c15-b2c8-68e3c22b9f80*,TRUE,"Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials." +*Azure AD Joined Device Local Administrator*,*9f06204d-73c1-4d4c-880a-6edb90606fd8*,TRUE,"Users assigned to this role are added to the local administrators group on Azure AD-joined devices." +*Azure DevOps Administrator*,*e3973bdf-4987-49ae-837a-ba8e231c7286*,TRUE,"Can manage Azure DevOps policies and settings." +*Azure Information Protection Administrator*,*7495fdc4-34c4-4d15-a289-98788ce399fd*,TRUE,"Can manage all aspects of the Azure Information Protection product." +*B2C IEF Keyset Administrator*,*aaf43236-0c0d-4d5f-883a-6955382ac081*,TRUE,"Can manage secrets for federation and encryption in the Identity Experience Framework (IEF)." +*Cloud Application Administrator*,*158c047a-c907-4556-b7ef-446551a6b5f7*,TRUE,"Can create and manage all aspects of app registrations and enterprise apps except App Proxy." +*Cloud Device Administrator*,*7698a772-787b-4ac8-901f-60d6b08affd2*,TRUE,"Limited access to manage devices in Azure AD." +*Compliance Administrator*,*17315797-102d-40b4-93e0-432062caca18*,TRUE,"Can read and manage compliance configuration and reports in Azure AD and Microsoft 365." +*Conditional Access Administrator*,*b1be1c3e-b65d-4f19-8427-f6fa0d97feb9*,TRUE,"Can manage Conditional Access capabilities." +*Directory Synchronization Accounts*,*d29b2b05-8046-44ba-8758-1e26182fcf32*,TRUE,"Only used by Microsoft Entra Connect service." +*Directory Writers*,*9360feb5-f418-4baa-8175-e2a00bac4301*,TRUE,"Can read and write basic directory information. For granting access to applications, not intended for users." +*Domain Name Administrator*,*8329153b-31d0-4727-b945-745eb3bc5f31*,TRUE,"Can manage domain names in cloud and on-premises." +*Exchange Administrator*,*29232cdf-9323-42fd-ade2-1d097af3e4de*,TRUE,"Can manage all aspects of the Exchange product." +*External Identity Provider Administrator*,*be2f45a1-457d-42af-a067-6ec1fa63bc45*,TRUE,"Can configure identity providers for use in direct federation." +*Global Administrator*,*62e90394-69f5-4237-9190-012177145e10*,TRUE,"Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities." +*Global Reader*,*f2ef992c-3afb-46b9-b7cf-a126ee74c451*,TRUE,"Can read everything that a Global Administrator can, but not update anything." +*Groups Administrator*,*fdd7a751-b60b-444a-984c-02652fe8fa1c*,TRUE,"Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports." +*Helpdesk Administrator*,*729827e3-9c14-49f7-bb1b-9608f156bbb8*,TRUE,"Can reset passwords for non-administrators and Helpdesk Administrators." +*Hybrid Identity Administrator*,*8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2*,TRUE,"Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings." +*Intune Administrator*,*3a2c62db-5318-420d-8d74-23affee5d9d5*,TRUE,"Can manage all aspects of the Intune product." +*License Administrator*,*4d6ac14f-3453-41d0-bef9-a3e0c569773a*,TRUE,"Can manage product licenses on users and groups." +*Network Administrator*,*d37c8bed-0711-4417-ba38-b4abe66ce4c2*,TRUE,"Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications." +*Partner Tier1 Support*,*4ba39ca4-527c-499a-b93d-d9b492c50246*,TRUE,"Do not use - not intended for general use" +*Partner Tier2 Support*,*e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8*,TRUE,"Do not use - not intended for general use" +*Password Administrator*,*966707d0-3269-4727-9be2-8c3a10f19b9d*,TRUE,"Can reset passwords for non-administrators and Password Administrators." +*Privileged Authentication Administrator*,*7be44c8a-adaf-4e2a-84d6-ab2649e08a13*,TRUE,"Can access to view, set and reset authentication method information for any user (admin or non-admin)" +*Privileged Role Administrator*,*e8611ab8-c189-46e8-94e1-60213ab1f814*,TRUE,"Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management." +*Security Administrator*,*194ae4cb-b126-40b2-bd5b-6091b380977d*,TRUE,"Can read security information and reports, and manage configuration in Azure AD and Office 365." +*Security Operator*,*5f2222b1-57c3-48ba-8ad5-d4759f1fde6f*,TRUE,"Creates and manages security events" +*Security Reader*,*5d6b6bb7-de71-4623-b4af-96380a352509*,TRUE,"Can read security information and reports in Microsoft Entra ID and Office 365." +*SharePoint Administrator*,*f28a1f50-f6e7-4571-818b-6a12f2af6b6c*,TRUE,"Can manage all aspects of the SharePoint service." +*Teams Administrator*,*69091246-20e8-4a56-aa4d-066075b2a7a8*,TRUE,"Can manage the Microsoft Teams service." +*User Administrator*,*fe930be7-5e62-47db-91af-98c3a49a38b1*,TRUE,"Can manage all aspects of users and groups, including resetting passwords for limited admins." +*Windows 365 Administrator*,*11451d60-acb2-45eb-a7d6-43d0f0125c13*,TRUE,"Can provision and manage all aspects of Cloud PCs." \ No newline at end of file