MicrosoftThat's very good that you have made measures against abuse, Abhijeet Kumar Sinha. However I did find a severe weakness now that allows for non-wanted elevation of privilege with these new role groups.
By using Azure AD Entitlement Management > Access Packages. Example:
- Group "azuread-role-intune_administratror" created and assigned to role "Intune Administrator" (created by global admin or privileged role admin)
Now another user, "USER X" with the role "User administrator" can create an access package in Entitlement Management, and select "azuread-role-intune_administrator" as a resource role in the access package.
Now USER X can assign the access package to himself and will thus also be made a member of "azuread-role-intune_administator" effectively giving the user access to something it should have been able to do.
This happens because the Entitlement Management-engine apparently runs on very high privileges or is exempt from the security measures made for these new role groups.
I would like to see this patched, but still be able to use the functionality of access packages with this new role group functionality. Maybe an extra check in Entitlement Management where the active roles of the user creating the user assignment can be assessed before allowing/disallowing the action?
