Hidden Admin Roles in Entra ID [CHK-1160]
Entra ID contains hidden administrative roles that can bypass configurations such as multi-factor authentication. This check verifies if these roles are assigned to users.
Rationale
Hidden roles are designed for specific functionalities and should not be misused. Attackers can exploit these roles to gain high privileges without detection. The roles that should not be assigned and will trigger an alarm in Attic include:
- Partner Tier1 Support
- Partner Tier2 Support
- Directory Synchronization Accounts (only needed in a Hybrid setup of Exchange and should be assigned to a maximum of 1 account)
- On Premise Directory Sync Account (only needed in a Hybrid setup of Exchange and should be assigned to a maximum of 1 account)
Fix
Manual steps:
- Navigate to Microsoft Entra Admin Center at https://entra.microsoft.com
- Select users and navigate to the mentioned user.
- Verify whether the user is a known user. If the user is unknown, disable the account and click revoke sessions to prevent the user from accessing the tenant.
- Investigate whether the user took steps to gain persistent access.
- If the user is supposed to have access, consider whitelisting the user via the Attic app to prevent unnecessary alerts.
- To remove the incorrectly assigned role(s), use PowerShell and replace the placeholders
<ROLENAME>and<USERNAME@COMPANY>with values from the incident:
$role = Get-AzureADDirectoryRole | Where-Object { $roles -contains "<ROLENAME>" }
$user = Get-AzureADUser -ObjectId "<USERNAME@COMPANY>"
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
If the user should have access, consider whitelisting them via the Attic app. This prevents unnecessary alerts.
Impact
Removing these roles prevents potential exploitation by attackers, reducing the risk of unauthorized access and potential cyberattacks. It is advisable to initiate an incident response process and conduct extensive research into this role assignment, as it may be part of a larger cyberattack.