Azure Privilege Escalation via Azure API Permissions Abuse

This report describes how certain Azure AD API permissions and app role configurations can be abused by a service principal to escalate privileges to Global Administrator via Microsoft Graph app roles (notably AppRoleAssignment.ReadWrite.All enabling RoleManagement.ReadWrite.Directory). It walks through the components involved (service principals, app registrations, app roles), demonstrates the attack path and example code, and provides guidance for prevention (auditing, least privilege, PowerShell checks) and detection (Azure Audit Logs and Log Analytics workbooks).