When an app permission is Global Admin: Graph role-write takeover
Some Microsoft Graph application permissions are effectively tenant takeover. An app-only token with role-write power can grant itself Global Administrator.
Not every privilege escalation needs a user. A service principal holding the wrong Graph permission can promote itself to Global Administrator with no human signed in.
How the attack works
An app in the tenant holds a high-risk Microsoft Graph application permission such as RoleManagement.ReadWrite.Directory. The attacker, controlling that app’s secret or certificate, mints an app-only token via the client-credentials flow with no user present, then calls Graph to add a principal it controls to the Global Administrator role. It can write itself further app-role assignments to broaden access, then enumerate privileged roles and Conditional Access policies. The Entra audit log records each role-assignment and appRoleAssignment write, attributing the actor to the service principal. In ATT&CK terms this is T1098, Account Manipulation, built on a stolen application token (T1528).
Why it works
A handful of Graph application permissions are not narrow API scopes; they are tenant-takeover capability. An app holding directory role-write power can self-escalate without any password or interactive sign-in, so user-focused defenses never engage. The root cause is over-granted, unaudited app permissions.
How to fix it
The non-obvious point is that there is no password to reset. Containment is to revoke the service principal’s credentials so it can no longer mint tokens, strip the dangerous Graph grant so a re-minted token is powerless, and delete the rogue role assignment. Scope what the principal actually did from the Entra audit and Graph activity logs filtered to its object id across the privileged window. Then inventory every app holding takeover-grade Graph permissions, remove what is not justified, and alert on future role-assignment and appRoleAssignment writes.
Practice it
We built this as a GraphLattice Range scenario so security teams can recognize an app-only role write, revoke the credential and the grant, and inventory the tenant for the same dangerous permissions.