← All talks

Privilege Escalation via Service Principal Ownership #shorts

BSides Frankfurt1:02209 viewsPublished 2026-01Watch on YouTube ↗
About this talk
Low-privilege user owns a highly privileged service principal (PEA role). Add a client secret, authenticate in app-only context, and reset any password, including global admin. Simple privilege escalation! #bsidesfrankfurt #bsides #bsidesfra #TomerNahum #JonathanElkabas #Semperis
Show transcript [en]

you are a low privilege user that have an ownership over a privilege uh service principle um which has the role of PA which is privilege authentication administrator. This role can basically reset h and set every password or for any user in the tenant. So uh in Microsoft enter ID ownership is a feature because you want to delegate administrative actions. So a low privilege user can be an owner of a high privilege service principle and the attack path is very straightforward. You basically add a client uh a client secret to the service principle. You authenticate uh in the app only context meaning you operate in the in the context of the application itself. Uh and that way you can get its privileges

and reset the global admin password. very very straightforward again really beginner friendly just to grasp the understanding the initial understanding of what it's look like to operate uh from a application context

Related talks

0:38
Microsoft Security: Safe PC or Password Risk? #shorts
BSides Frankfurt
0:41
IP Geolocation Inaccuracy: Understanding Network Routing #shorts
BSides Frankfurt
0:18
Vibe Coding Explained: Simple Rules for Secure Programs #shorts
BSides Frankfurt
0:22
Microsoft Shared Folder Error 1272: Security Policy Explained #shorts
BSides Frankfurt
0:25
Impossible Game Bot: The Ultimate Training Data Challenge #shorts
BSides Frankfurt
1:22
Microsoft Share Error: Security Policies & Honeypot Gold! #shorts
BSides Frankfurt