{"id":3369,"date":"2025-05-29T11:50:36","date_gmt":"2025-05-29T11:50:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3369"},"modified":"2025-05-29T11:50:36","modified_gmt":"2025-05-29T11:50:36","slug":"microsoft-entras-billing-roles-pose-privilege-escalation-risks-in-azure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3369","title":{"rendered":"Microsoft Entra\u2019s billing roles pose privilege escalation risks in Azure"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Threat actors can abuse one of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/microsoft-entra\" target=\"_blank\" rel=\"noopener\">Microsoft Entra<\/a>\u2019s by-design features, the software giant\u2019s cloud-based identity and access management service, to gain persistence and escalate privilege inside a target Azure account.<\/p>\n<p>According to a BeyondTrust discovery, Entra (formerly Azure Active Directory) grants intended yet risky capabilities to B2B guest users through Microsoft\u2019s billing permissions.<\/p>\n<p>\u201cBeyondTrust researchers discovered that Entra guest users with the right billing roles can create subscriptions and become Owners\u2013without any explicit permission within the target tenant,\u201d BeyondTrust said in a <a href=\"https:\/\/www.beyondtrust.com\/blog\/entry\/restless-guests\" target=\"_blank\" rel=\"noopener\">blog<\/a> post.<\/p>\n<p>The exploitation pathway relies on how guests with certain billing permissions\u2013external users invited to collaborate in an organization\u2019s Azure environment\u2013can create new containers (subscriptions) holding resources such as virtual machines, databases, and services, assuming \u201cOwner\u201d rights on it by default.<\/p>\n<p>This feature potentially allows a bad actor to sidestep intended access controls and introduce an unexpected vector for lateral movement and privilege escalation.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Billing permissions found exploitable, Microsoft disagrees<\/h2>\n<p>The issue arises from the capabilities granted to B2B guests through Microsoft\u2019s billing permissions. \u201cThe guest you invited could quickly overstay their welcome,\u201d BeyondTrust researchers <a href=\"https:\/\/www.beyondtrust.com\/blog\/entry\/restless-guests\" target=\"_blank\" rel=\"noopener\">noted<\/a>.<\/p>\n<p>Azure subscriptions provide a way to separate resources logically, and users in Entra ID can be assigned role-based access controls (<a href=\"https:\/\/www.csoonline.com\/article\/572177\/what-is-rbac-role-based-access-control-explained.html\">RBAC<\/a>) roles to manage resources within a specific subscription.<\/p>\n<p>However, there\u2019s a separate set of permissions related to billing and subscription creation that often goes unnoticed. These permissions include roles related to financial and subscription management within Microsoft environments. Security efforts typically focus on administrative permissions, not billing roles\u2013especially when restricting external guest users, BeyondTrust researchers said.<\/p>\n<p>BeyondTrust reported that Microsoft confirmed the behavior was expected when first contacted in January. Microsoft explained that guest-created subscriptions in Entra tenants were a requested ability now implemented by-design and are functioning as intended.<\/p>\n<p>For clarity, BeyondTrust was directed to a Microsoft <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/cost-management-billing\/manage\/manage-azure-subscription-policy\" target=\"_blank\" rel=\"noopener\">documentation<\/a> that reveals that there are optional controls to block subscription transfers. Microsoft also added that subscriptions are isolated to act as security barriers, and they shouldn\u2019t be able to impact the rest of the tenant.<\/p>\n<p>Microsoft did not immediately respond to CSO\u2019s requests for comments.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Potential abuse for persistence, elevated access<\/h2>\n<p>Essentially, guest users assigned specific billing roles, such as \u201cBilling Account Contributor\u201d, can create new Azure subscriptions within a host tenant. This action does not require explicit permissions in the target tenant, effectively allowing guests to establish a foothold without direct administrative oversight.<\/p>\n<p>Once a subscription is created, the guest user gains \u201cOwner\u201d rights over it. According to BeyondTrust, this elevated privilege enables them to deploy resources, assign roles, and potentially escalate their access, posing a significant threat to the tenant\u2019s security posture.<\/p>\n<p>The ability to create and control subscriptions potentially allows malicious actors to maintain persistence within the environment. They can leverage this position to move laterally, access sensitive data, or disrupt services.<\/p>\n<p>To defend against this attack vector BeyondTrust recommended a number of actions on top of leveraging the optional Microsoft control to block the transfer of subscriptions. These actions include auditing all guest accounts, hardening guest controls, monitoring all subscriptions, and auditing device access. <\/p>\n<p>This is the second time this week that a Microsoft over-permission issue has been reported by threat hunters, the first being an <a href=\"https:\/\/www.csoonline.com\/article\/3997051\/if-you-use-onedrive-to-upload-files-to-chatgpt-or-zoom-dont.html\">Oasis discovery<\/a> about a bunch of web applications having more than required access within a user\u2019s OneDrive account due to an overly permissive <a href=\"https:\/\/www.csoonline.com\/article\/562635\/what-is-oauth-how-the-open-authorization-framework-works.html\">OAuth<\/a> implementation in OneDrive File Picker.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Threat actors can abuse one of Microsoft Entra\u2019s by-design features, the software giant\u2019s cloud-based identity and access management service, to gain persistence and escalate privilege inside a target Azure account. According to a BeyondTrust discovery, Entra (formerly Azure Active Directory) grants intended yet risky capabilities to B2B guest users through Microsoft\u2019s billing permissions. \u201cBeyondTrust researchers [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3364,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3369","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3369"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3369"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3369\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3364"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}