M365-Assess

1.16.0

controls/tier0-permissions.json

                                {"$schema":"tier0-permissions-schema","description":"Microsoft Graph application permissions classified as Tier 0 -- each has a documented attack path to Global Administrator. Source: github.com/emiliensocchi/azure-tiering (MIT license).","version":"2025-05","permissions":[{"permission":"AdministrativeUnit.ReadWrite.All","category":"role-assignment","attackPath":"When combined with password reset access, can remove a Global Admin from a Restricted Management Administrative Unit (RMAU) and take it over."},{"permission":"Application.ReadUpdate.All","category":"credential-injection","attackPath":"Can impersonate any SP with more privileged application permissions granted for MS Graph, and escalate to Global Admin."},{"permission":"Application.ReadWrite.All","category":"credential-injection","attackPath":"Can impersonate any SP with more privileged application permissions granted for MS Graph, and escalate to Global Admin."},{"permission":"Application.ReadWrite.OwnedBy","category":"credential-injection","attackPath":"Can impersonate owned SPs with more privileged permissions to escalate to Global Admin."},{"permission":"AppRoleAssignment.ReadWrite.All","category":"self-escalation","attackPath":"Can assign RoleManagement.ReadWrite.Directory to itself without admin consent, then assign Global Admin."},{"permission":"DelegatedAdminRelationship.ReadWrite.All","category":"cross-tenant","attackPath":"In CSP/MSP tenants, can add users to groups approved in GDAP relationships and assume Global Admin in customer tenants."},{"permission":"DeviceManagementConfiguration.ReadWrite.All","category":"intune-exploitation","attackPath":"Can run arbitrary commands on an Intune-managed endpoint of a Global Administrator and steal their tokens."},{"permission":"DeviceManagementRBAC.ReadWrite.All","category":"intune-exploitation","attackPath":"Can assign Intune roles enabling arbitrary command execution on Global Admin devices."},{"permission":"DeviceManagementScripts.ReadWrite.All","category":"intune-exploitation","attackPath":"Can deploy scripts to Intune-managed devices of Global Administrators and steal tokens."},{"permission":"Directory.ReadWrite.All","category":"group-manipulation","attackPath":"Can join non-role-assignable groups with privileged Azure permissions, and escalate via Azure resources."},{"permission":"Domain.ReadWrite.All","category":"federation-abuse","attackPath":"Can add a federated domain and authenticate as any Global Admin without password or MFA."},{"permission":"EntitlementManagement.ReadWrite.All","category":"policy-manipulation","attackPath":"Can modify access package policies to grant Global Admin without approval."},{"permission":"Group-OnPremisesSyncBehavior.ReadWrite.All","category":"hybrid-abuse","attackPath":"Combined with on-premises DA, can convert a cloud group providing GA access to a synced group and add controlled accounts."},{"permission":"Group.ReadWrite.All","category":"group-manipulation","attackPath":"Can join non-role-assignable groups with privileged Azure permissions, and escalate via Azure resources."},{"permission":"GroupMember.ReadWrite.All","category":"group-manipulation","attackPath":"Can join non-role-assignable groups with privileged Azure permissions, and escalate via Azure resources."},{"permission":"Organization.ReadWrite.All","category":"certificate-abuse","attackPath":"If Certificate Based Authentication (CBA) is enabled, can upload a trusted root certificate and impersonate a Global Admin."},{"permission":"Policy.ReadWrite.AuthenticationMethod","category":"auth-method-takeover","attackPath":"Combined with UserAuthenticationMethod.ReadWrite.All, can enable TAP authentication method and take over any account."},{"permission":"Policy.ReadWrite.ConditionalAccess","category":"tenant-availability","attackPath":"Can create a CA policy blocking all users for all apps, rendering the tenant unavailable (ransom vector)."},{"permission":"Policy.ReadWrite.PermissionGrant","category":"self-escalation","attackPath":"Can create a permission grant policy for RoleManagement.ReadWrite.Directory and self-escalate to Global Admin."},{"permission":"PrivilegedAccess.ReadWrite.AzureAD","category":"legacy","attackPath":"Legacy PIM permission -- kept for safety until completely removed by Microsoft."},{"permission":"PrivilegedAccess.ReadWrite.AzureADGroup","category":"role-assignment","attackPath":"Can add users as owner or member of a group with an active Global Admin assignment."},{"permission":"PrivilegedAccess.ReadWrite.AzureResources","category":"legacy","attackPath":"Legacy PIM permission -- kept for safety until completely removed by Microsoft."},{"permission":"PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup","category":"role-assignment","attackPath":"Can add users as owner or member of a group with an active Global Admin assignment."},{"permission":"PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup","category":"role-assignment","attackPath":"Can make a user eligible for a group with active GA assignment, then activate to escalate."},{"permission":"RoleAssignmentSchedule.ReadWrite.Directory","category":"role-assignment","attackPath":"Can assign Global Admin to any user by creating an active PIM role assignment."},{"permission":"RoleEligibilitySchedule.ReadWrite.Directory","category":"role-assignment","attackPath":"Can make any user eligible for Global Admin and activate it to escalate."},{"permission":"RoleManagement.ReadWrite.Directory","category":"role-assignment","attackPath":"Can directly assign the Global Admin role to any principal."},{"permission":"RoleManagementPolicy.ReadWrite.AzureADGroup","category":"policy-manipulation","attackPath":"Can remove MFA/approval constraints from PIM group assignments, enabling silent escalation."},{"permission":"RoleManagementPolicy.ReadWrite.Directory","category":"policy-manipulation","attackPath":"Can remove MFA/approval constraints from Entra role assignments, enabling silent escalation."},{"permission":"SecurityIdentitiesActions.ReadWrite.All","category":"tenant-availability","attackPath":"Can mark all accounts as compromised, disabling sign-in via CA policies (ransom vector)."},{"permission":"SignInIdentifier.ReadWrite.All","category":"group-manipulation","attackPath":"Can edit UPN to join dynamic groups with privileged Azure permissions and escalate."},{"permission":"Synchronization.ReadWrite.All","category":"hybrid-abuse","attackPath":"Untested -- potential to modify hybrid sync configuration. Kept for safety."},{"permission":"User.DeleteRestore.All","category":"tenant-availability","attackPath":"Can delete all users in the tenant, rendering it unavailable (ransom vector)."},{"permission":"User.EnableDisableAccount.All","category":"tenant-availability","attackPath":"Can disable all user accounts in the tenant, rendering it unavailable (ransom vector)."},{"permission":"User.ReadWrite.All","category":"group-manipulation","attackPath":"Can edit user properties to join dynamic groups with privileged Azure permissions and escalate."},{"permission":"User-PasswordProfile.ReadWrite.All","category":"credential-injection","attackPath":"Can reset passwords of non-admin users and escalate via group memberships or Azure resources."},{"permission":"UserAuthenticationMethod.ReadWrite.All","category":"auth-method-takeover","attackPath":"Can generate a TAP for any user, including break-glass accounts, and authenticate as them."},{"permission":"UserAuthMethod-HardwareOATH.ReadWrite.All","category":"auth-method-takeover","attackPath":"Can add a hardware OATH token to any user and authenticate with the TOTP."},{"permission":"UserAuthMethod-Phone.ReadWrite.All","category":"auth-method-takeover","attackPath":"Can update any user's phone, enable SMS sign-in, and authenticate via SMS OTP."},{"permission":"UserAuthMethod-QR.ReadWrite.All","category":"auth-method-takeover","attackPath":"Can generate a QR code + PIN for any user and authenticate as them."},{"permission":"UserAuthMethod-TAP.ReadWrite.All","category":"auth-method-takeover","attackPath":"Can generate a Temporary Access Pass for any user and authenticate as them."}],"tier1DataAccess":["Mail.ReadWrite","Mail.Send","Files.ReadWrite.All","Sites.FullControl.All","Sites.ReadWrite.All","MailboxSettings.ReadWrite","Calendars.ReadWrite","Contacts.ReadWrite"]}