Active Authentication Administrators in Azure

rootsecdev
4 min readFeb 1, 2024

--

I had this question come up again recently. What are “Active Authentication Administrators” and why are they showing up under regular users. Disclaimer: I occasionally run across this on cloud pentests.

Before I dive into to much around this there is a delineation between “Active Authentication Administrator” and “Authentication Administrator”. Below is a permissions reference for some clarity.

Authentication Administrator is a privileged role. They can be typically be seen on helpdesk/desktop admins. More importantly (I can’t stress this enough) this role is privileged. You will notice Active Authentication Administrator is completely absent from Entra built in roles.

So where does Active Authenticator Administrator come into play? Are these roles dangerous?

So in short. No these rights are not dangerous. So lets take a short deep dive with roadrecon to pull out this information for Han Solo.

So if we log in as Han Solo and we try and reset junior ;) you will notice everything is grayed out.

Don’t worry resetting passwords for someone else isn’t an option either.

Active Authentication Administrator is a per user MFA artifact. You can read about this and other fascinating things in Dirk-Jan’s slide deck on Fantastic Policies Cloud Roundup below.

Lets dig into the application assignment in detail:

So this account was never enrolled or enforced with per user MFA. At one point I was using SMS based text but then moved this user over to the authenticator app. At the time my migration from legacy multifactor authentication had not started. Currently my migration is in progress.

This is a good reminder for all enterprises that if you have not started to move away from legacy authentication methods. Please start your migration plans soon! It involves taking what MFA methods your users are using today and making sure those same methods are available to them in your modern authentication policies. You have until September 3, 2025 to complete your migration.

So can you dump end users from the active authentication role? Absolutely! (I would start your migration off legacy authentication and make sure anyone stuff in this role is configured for a modern authentication method)

We can now confirm Han no longer has this application role:

We now have authenticated as Han, he also still has MFA. So all is well here.

So the moral of this story. The application rights are not dangerous. They can be removed but you may want to ensure your path to move off legacy authentication has started. More importantly please migrate your tenants off legacy authentication. You have a little less than 2 years left to migrate your end users off.

Until next time.

--

--