Graph API Role Privilege Escalation PoC

Cloud App Admin → Global Admin via RoleManagement.ReadWrite.Directory

🚀 Quick Start Guide

Get an access token with Cloud App Admin privileges
Enter your access token and tenant ID
Click "Run Exploit" to find vulnerable apps
Use the generated cURL/PowerShell to get an SP token
Enter the SP token and click "Assign Global Admin"
Verify your new Global Admin status

📝 About this PoC

This PoC demonstrates how a user with Cloud App Admin privileges can escalate to Global Admin by abusing the RoleManagement.ReadWrite.Directory permission.

The exploit works by:

Finding a service principal with RoleManagement.ReadWrite.Directory permission
Adding new credentials to that service principal
Using those credentials to assign the Global Admin role to the current user

📢 Tip: Open Dev Console (F12) for detailed logs.

🔐 Authentication

Access Token: Tenant ID or domain: Known Vulnerable App ID (optional):

🎯 Service Principal Token Request

cURL Version:

Waiting for exploit...

PowerShell Version:

Waiting for exploit...

🛡️ Assign Global Admin Role

SP Access Token: