Crosswise

Detect toxic permission
combinations before they
become breaches

Individual roles look benign in isolation — but combinations are where the danger hides. Crosswise scans your Microsoft Entra ID tenant for role and permission patterns that, together, enable privilege escalation, credential injection, or tenant takeover. Every analysis runs entirely in your browser; no tenant data ever leaves your machine.

Read-only. Crosswise holds only delegated read permissions via Microsoft Graph — it never modifies your tenant, stores nothing on any server, and cannot write to the directory under any circumstance.

Read-only — zero writes

Browser-only — no egress

PKCE auth — your app reg

MIT open source

What Crosswise detects

Critical Privilege escalation

Direct path to Global Administrator

Privileged Role Administrator can self-assign Global Admin in a single Graph API call — no credential manipulation, no intermediary. Hybrid Identity Administrator can reroute directory sync to elevate an attacker-controlled on-prem account. These roles are operationally equivalent to holding Global Admin directly.

CW-011 • CW-013

Critical Auth takeover

Password reset over any user, including Global Admins

Privileged Authentication Administrator can reset passwords and manage authentication methods for any account in the tenant — including Global Administrators. The name is frequently misread as a restricted variant of Authentication Administrator. It is not. A single role holder can silently reset a Global Admin credential and assume full tenant control.

CW-003

High Credential injection

App Admin plus one privileged registration equals tenant takeover

Application Administrator and Cloud Application Administrator can add credentials to any app registration in the tenant. If even one existing app holds RoleManagement.ReadWrite.Directory or equivalent, injecting a secret onto it and authenticating as that app yields Global Administrator via a legitimate token — no role assignment appears in the audit log.

CW-004 • CW-010

High Defense evasion

Silently disabling MFA enforcement and security detections

Conditional Access Administrator can create a CA policy exclusion removing MFA for any account — including Global Admins — leaving them accessible via password alone. Security Administrator can dismiss active Defender XDR alerts, weaken Identity Protection risk policies, and suppress detections, erasing the evidence of an in-progress attack without touching a single role assignment.

CW-012 • CW-014 • CW-015

Critical AI agent risk

LLM-powered identities holding dangerous roles

AI agents and Copilot automation that hold Application Administrator can execute the credential-injection escalation path at machine speed — within seconds, before any SIEM alert fires. Unlike a human administrator, AI agents never pause at confirmation dialogs, run continuously rather than episodically, and can be triggered via prompt injection in the data they process.

CW-007

How it works

Browser-only. Delegated. Read-only. Open source.

Sign in with your own Microsoft account. Crosswise reads directory role assignments, service principals, and group memberships via Microsoft Graph using five delegated read-only permissions. All detection logic runs in your browser — no tenant data is sent anywhere. The entire codebase is MIT-licensed and auditable on GitHub.

Directory.Read.All RoleManagement.Read.Directory Application.Read.All Policy.Read.All User.Read

Detect toxic permissioncombinations before theybecome breaches