In every modern Azure environment, Service Principals drive automation and integration. Yet, to support enterprise solutions in identity governance, cloud security, and DevOps automation, these principals are often endowed with broad Microsoft Graph API permissions, such as RoleManagement.ReadWrite.Directory, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and ServicePrincipalEndpoint.ReadWrite.All. Even Entra ID roles that are not typically classified as “privileged” can be exploited, enabling attackers to modify Service Principal configurations and escalate privileges in unexpected ways.
This session reveals groundbreaking research that uncovers how excessive Graph API permissions, and the abuse of non‑privileged Entra ID roles, create new exploitation pathways in Azure. We will detail common misconfigurations that, when left unmonitored, allow attackers to seize control of Service Principals and manipulate application configurations. In doing so, we introduce Azure AppHunter, a novel open‑source tool that scans Azure environments for Service Principals with dangerous permissions and maps out potential attack vectors.
Attendees will gain practical techniques for detecting and mitigating these vulnerabilities, enforce least privilege, and integrate continuous auditing into their security workflows, all essential for securing Azure deployments against emerging threats.