Microsoft Entra’s billing roles pose privilege escalation risks in Azure

Threat actors can abuse one of Microsoft Entra’s by-design features, the software giant’s cloud-based identity and access management service, to gain persistence and escalate privilege inside a target Azure account.

According to a BeyondTrust discovery, Entra (formerly Azure Active Directory) grants intended yet risky capabilities to B2B guest users through Microsoft’s billing permissions.

“BeyondTrust researchers discovered that Entra guest users with the right billing roles can create subscriptions and become Owners–without any explicit permission within the target tenant,” BeyondTrust said in a blog post.

The exploitation pathway relies on how guests with certain billing permissions–external users invited to collaborate in an organization’s Azure environment–can create new containers (subscriptions) holding resources such as virtual machines, databases, and services, assuming “Owner” rights on it by default.

This feature potentially allows a bad actor to sidestep intended access controls and introduce an unexpected vector for lateral movement and privilege escalation.

Billing permissions found exploitable, Microsoft disagrees

The issue arises from the capabilities granted to B2B guests through Microsoft’s billing permissions. “The guest you invited could quickly overstay their welcome,” BeyondTrust researchers noted.

Azure subscriptions provide a way to separate resources logically, and users in Entra ID can be assigned role-based access controls (RBAC) roles to manage resources within a specific subscription.

However, there’s a separate set of permissions related to billing and subscription creation that often goes unnoticed. These permissions include roles related to financial and subscription management within Microsoft environments. Security efforts typically focus on administrative permissions, not billing roles–especially when restricting external guest users, BeyondTrust researchers said.

BeyondTrust reported that Microsoft confirmed the behavior was expected when first contacted in January. Microsoft explained that guest-created subscriptions in Entra tenants were a requested ability now implemented by-design and are functioning as intended.

For clarity, BeyondTrust was directed to a Microsoft documentation that reveals that there are optional controls to block subscription transfers. Microsoft also added that subscriptions are isolated to act as security barriers, and they shouldn’t be able to impact the rest of the tenant.

Microsoft did not immediately respond to CSO’s requests for comments.

Potential abuse for persistence, elevated access

Essentially, guest users assigned specific billing roles, such as “Billing Account Contributor”, can create new Azure subscriptions within a host tenant. This action does not require explicit permissions in the target tenant, effectively allowing guests to establish a foothold without direct administrative oversight.

Once a subscription is created, the guest user gains “Owner” rights over it. According to BeyondTrust, this elevated privilege enables them to deploy resources, assign roles, and potentially escalate their access, posing a significant threat to the tenant’s security posture.

The ability to create and control subscriptions potentially allows malicious actors to maintain persistence within the environment. They can leverage this position to move laterally, access sensitive data, or disrupt services.

To defend against this attack vector BeyondTrust recommended a number of actions on top of leveraging the optional Microsoft control to block the transfer of subscriptions. These actions include auditing all guest accounts, hardening guest controls, monitoring all subscriptions, and auditing device access.

This is the second time this week that a Microsoft over-permission issue has been reported by threat hunters, the first being an Oasis discovery about a bunch of web applications having more than required access within a user’s OneDrive account due to an overly permissive OAuth implementation in OneDrive File Picker.