![]() Principal - an identity that can be authenticated. These systems are very complex and it’s easy to get confused when learning about this. But the particular privileges granted within the Azure API permissions system are only taken into account when a principal is operating against the target object through that API:īefore we go any further, let’s establish some vocabulary here. They can be used to grant access to the same objects. These parallel systems can be used to control access to the same objects. There is some overlap between Azure AD directory roles and Azure API permissions, but I think it’s best to think of them as parallel privilege systems. Azure API permissions are a wholly distinct, parallel set of permissions that can be granted to Azure service principals. For example, “Global Admin” is an Azure AD directory role. What are Azure API Permissions?Īzure AD uses the concept of “roles” to dole out privileges to principals. I also found Marius Solbakken’s blog to be an absolute treasure trove of Azure information which really helped me understand some of the more nuanced details of Azure. In the Azure defensive security world, Doug Bienstock, Juraj Sucik, and Jacob Skiba have created a tool called Mandiant Azure AD Investigator to help find evidence of adversaries abusing Azure app roles.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |