Service Principal Ownership: Automation vs. Exploitation #shorts

One interesting point uh to say is that you can't assign a service principle ownership over another service principle ownership. You can't do it via the UI the Azure portal or the admin center but you can do it uh through uh the direct API call and we did so that in uh many of our customers because it's really useful for automation tasks. Okay. So instead a user manage another service principle let's make it automated that a serviceable specific can manage another one. Um it's really useful feature but again this can be exploited and the the exploitation is very simple in that case is that if you're an owner like we said earlier you can add yourself you can add

a back door access to it and authenticate to it. So the above attack path basically allows you to enable CBA certificate based authentication in the tenant and that way you can combine those two together and um add a root CA a evil root CA uh to the tenant and then use it to sign um a certificate for the global admin and then authenticate with that certificate as a global administrator. that it's on a very very uh speed run of the scenarios.