“Entra”sting Roles You’ll Want to Know About

What is Entra?

Entra is Microsoft’s identity platform. It gives you a way to manage the identities of your users, such as assigning them to groups, granting permissions, securing access to said identities, and more. Entra is almost inescapable in today’s world; if you’re using Microsoft 365 or Azure, you’re leveraging Entra in some capacity.

In 2023 alone, Microsoft saw a growth in the number of total “seats” by 11%, according to their 2023 annual report. Because Entra is the identity management platform, gaining insight into the activities occurring within Entra is incredibly important for defenders.

Why Should I Care?

Entra is a wonderfully complex system, and with its integration into Microsoft 365 and Azure in general, it can be messy to administer and maintain. It’s hard to find documentation sometimes, and even then the platform over its lifetime has matured and changed so much — and not just in name (RIP Azure AD). We’re still discussing the Midnight Blizzard incident (and its fallout) regarding Microsoft themselves; Splunk has an excellent writeup on this and it’s worth a read. Entra is hard and it’s time we admit it and learn to take additional steps to properly deploy, maintain, and defend it. To that end we need to discuss some of the roles (basically structured groupings of permissions on allowed activities) that currently exist within Entra.

What are Some of These Roles?

You can find a full listing of all the roles we’re about to discuss here. I wanted to focus on some of the lesser known roles and also some of the roles that you’re probably aware of but didn’t know everything that these roles were allowed to act upon. Also, I’m not going to cover every specific action each role can take. I just want to highlight some of the more interesting ones for defenders and Administrators to look out for. So let’s dive in!

Application Administrator

This role is designed to manage all aspects of applications (think app registrations and Enterprise Applications AKA Service Principals.) From application proxy, app credentials, and  everything in between, this role is powerful. I want to give a shout out to the Cloud Application Administrator role as it’s very similar and only lacks the ability to manage the application proxies. The Application Administrator can:

• Create/delete application and service principal credentials
• Manage OAuth2 permission grants this is also shared with other roles such as Application Developer
• Delete and create Service Principals
• Reset user passwords
• Change the name of Service Principals

Authentication Administrator

This role is able to reset or modify the authentication methods of other non-administrative users. Of course, this also means that someone with this role could gain access in order to impersonate or assume the identity of another user and/or service principal. Also, shoutout to a similar role called Privileged Authentication Administrator with slightly higher permissions (very similar to this but it also can do the same actions below with Administrators!) The Authentication Administrator can:

• Modify authentication methods (including strong authentication AKA MFA)
• Disable or enable users
• Restore deleted Users
• Invalidate refresh tokens (this will force active users to re-sign back in)

Directory Synchronization Accounts

Microsoft’s description in their documentation (linked above) says, “Do not use” and this is a rare case of me agreeing with Microsoft. In fact, it’s hard to find if you don’t know it exists. This was also one of the roles that inspired me to write this post. It’s supposed to only be used with the Entra connect service, but there is nothing stopping the assignment of this role. (Later in this post we’ll discuss how to find this role and who is assigned to it). This role is quite powerful — not as powerful as a Global Administrator role, but it definitely can do quite a bit, including:

• Creating new hybrid auth policies (pertinent if you do any Entra/Active Directory syncing)
• Managing the hashing functions of aforementioned hybrid configurations
• Updating directory policies, creating new ones, deleting old ones
• Creating, modifying, and deleting of Service Principals and applications
• Editing said credentials of applications and Service Principals
• Updating and modifying the role assignments of Service Principals

Helpdesk Administrator

This role can also perform password resets but in a more limited fashion. I wanted to call out this role since it could fly a little more under the radar of administrators and defenders. However, as it can reset some passwords, it could lead to scenarios of impersonation or assumption of identities. There is a table located here that calls out what roles can reset passwords of users, depending on the user’s role assignments. More specifically, this role can:

• Reset passwords for some users
• Read bitlocker keys and metadata
• Invalidate refresh tokens on users, forcing them to re-sign back in

Partner Tier 1 Support & Partner Tier 2 Support

These roles are meant to be used by a small group of Microsoft partners, according to the description in the documentation initially linked above. These are also slated to be deprecated in the future, but are still active (as of writing this article) and in reality should NOT be used at all. These roles are hard to find, much like the Directory Synchronization Accounts role. While not Global Admins, they are quite powerful and allow for activities like password resets (Tier 2 can also reset Administrator passwords.) Tier 2 is generally the more potent of the two roles as it can also modify the domain properties like creating and deleting said domains. These roles can:

• Create, modify, and delete users
• Invalidate refresh tokens
• Modify/update Oauth2 permission grants
• Update the credentials of applications
• Promote itself to a global admin (Tier 2 only)

Honorable Mentions

The following roles have some permissions that are similar to those above and were not mentioned in any of the above sections. I recommend reading more on each of these here.

• Privileged Role Administrator
• Security Administrator
• Security Operator
• Hybrid Identity Administrator
• Global Reader
• Conditional Access Administrator

Recommendations for Defenders and Administrators

The first recommendation would be to find out what roles are currently assigned to users in your Entra tenant. The below PowerShell script does just that and outputs to the console any user who has an assigned role along with a brief description of said role.

Import-Module -Name Microsoft.Graph.Authentication 
Import-Module -Name Microsoft.Graph.Users 

# Connect to Microsoft Graph
Connect-MgGraph -ContextScope Process -Scopes "User.Read.All", "Directory.Read.All"

# Get all users in the Azure AD tenant
$users = Get-MgUser -All

# Iterate through each user
foreach ($user in $users) {
    # Get the roles assigned to the user
    $roles = Get-MgUserMemberOfAsDirectoryRole -UserId $user.Id -All
    if ($roles) {
        Write-Host "User: $($user.DisplayName) ($($user.UserPrincipalName))"
            -ForegroundColor DarkYellow
        Write-Host "Assigned Roles:"
            -ForegroundColor DarkGreen 
            foreach ($role in $roles) {
                Write-Host "- $($role.DisplayName): "
                    -NoNewLine -ForegroundColor DarkCyan
                Write-Host "$($role.Description)"
                    -ForegroundColor DarkMagenta
        }
        Write-Host "`n"
    }
} 

You can also view this information in the Azure Privileged Identity Management portal to view active and enabled role assignments. Below is a screenshot of an example output from the script above.

I’d recommend regularly reviewing assignments in your tenant. I’d also recommend finding a solution like a SIEM to monitor changes in assignments (along with all the other Entra activity) to stay up to date on the changes and activities going on in your tenant. If you can’t implement a SIEM, I can’t stress enough that you should regularly review logs in Entra and in Microsoft 365’s unified audit log, and review role assignments and Risky users if you have Entra’s Premium P1 or P2 licensing as part of your subscriptions. If you find the roles mentioned above in use, make sure that the assignments are legitimate.

I’d also recommend auditing what Application Registrations and Enterprise Applications (Service Principals) are in use by your tenant, who approved them, and if they are still in use. These directories and tenants can get messy quickly, especially during migration projects. SpecterOps also has a great write up on these roles and is a very good read — you can check it out here.

How Blumira can Help

While the script mentioned above and Azure admin portal can be useful tools for defenders, it’s not always speedy and these aren’t looking to alert you quickly to the activity in your environment. SIEMs and similar tools typically require almost a metric ton of lift to get in place along with continuous tuning and rule creation.

To get started with monitoring Entra ID (Azure AD), try out Blumira’s editions which support sensors and integrate with Azure Event Hubs to help surface actionable intelligence and increase log retention.