Role Assignable Group Privilege Escalation [CHK-1180]
This article focuses on the detection of role assignable groups where owners lack the assigned roles, creating potential privilege escalation vulnerabilities.
All RAG groups where the owner doesn't have the role that is assigned via the group will be reported. Owners with a Tier0 role are excluded.
Rationale
Owners who lack the group's assigned roles can add themselves as members to gain elevated permissions they shouldn't have. This creates a privilege escalation vulnerability that needs immediate attention.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Microsoft Entra admin center at https://entra.microsoft.com.
- Select Groups then Role assignable groups.
- Review the role assignable group from the incident report and review the owners that do not have the assigned roles.
- If this is in error, click on "Edit" and remove the owner from the group or add the required roles to the owner.
Impact
Upon successful implementation of the fix, the privilege escalation vulnerability will be eliminated, ensuring that owners do not have unauthorized elevated permissions.
More Information
For more information about (over)sharing, group access, and other M365 resources, consider checking out https://www.m365permissions.com/