# AZ\_ADD\_MEMBERS

## Summary

|                             |                                                                                                     |
| --------------------------- | --------------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**     | AZ\_ADD\_MEMBERS                                                                                    |
| **Entra ID Alias**          | Add Members (Group)                                                                                 |
| **Affected Object Types**   | AZ Group                                                                                            |
| **Exploitation Certainty**  | Certain                                                                                             |
| **Graph Permission / Role** | Directory roles (e.g., **Groups Administrator**, **User Administrator**) or being a **Group Owner** |

## Description

`AZ_ADD_MEMBERS` represents the ability for a principal (user, service principal, or group owner) to **add members to a Microsoft Entra ID group**. By adding themselves (or a controlled identity) into a **privileged group**, an attacker can:

* Inherit **Azure RBAC** permissions if the group is assigned to subscriptions/resource groups/resources.
* Inherit **directory roles** when the group is **role-assignable** (`isAssignableToRole = true`).

Therefore, any identity with add-member capability on sensitive groups can quickly escalate privileges by modifying group membership.

## Identification

### PowerShell

```powershell
# Requires: Install-Module Microsoft.Graph -Scope CurrentUser
# Connect-MgGraph -Scopes "Directory.Read.All","Group.Read.All","RoleManagement.Read.Directory"

# Get users in privileged roles that can add group members
$roles = @('Global Administrator','Privileged Role Administrator','Groups Administrator','User Administrator')
$roleMembers = Get-MgDirectoryRole -All | Where-Object { $_.DisplayName -in $roles } | ForEach-Object {
    $role = $_.DisplayName
    Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id -All | ForEach-Object {
        [pscustomobject]@{ Role = $role; Member = $_.AdditionalProperties['displayName']; Id = $_.Id }
    }
}

# Get all group owners
$groupOwners = Get-MgGroup -All | ForEach-Object {
    $g = $_
    Get-MgGroupOwner -GroupId $g.Id -All -ErrorAction SilentlyContinue | ForEach-Object {
        [pscustomobject]@{
            Group = $g.DisplayName
            Owner = $_.AdditionalProperties['displayName']
            Type  = ($_.AdditionalProperties['@odata.type'] -replace '#microsoft.graph.','')
        }
    }
}

"=== PRIVILEGED ROLE MEMBERS ===" 
$roleMembers | Format-Table -AutoSize
"=== GROUP OWNERS ==="
$groupOwners | Sort-Object Group | Format-Table -AutoSize
```

### Azure CLI

Check owners and (if you are owner or hold the right role) add a member:

```bash
# List group owners
az ad group owner list --group "<GroupObjectIdOrName>" --query "[].{displayName:displayName,id:id}"

# Add a member (requires owner/appropriate role)
az ad group member add --group "<GroupObjectIdOrName>" --member-id "<ObjectIdOfUserOrSP>"
```

### Azure GUI

* Open **Microsoft Entra admin center** -> **Groups** -> select the **target group**.
* Go to **Owners** and list all identities shown there.

  * **Anyone listed as Owner can add members** to this group.

  ![image.png](/files/PM7RI2ngZnIhvRB72eGE)
* Go to **Properties** and check **"Is this group assignable to roles in Entra ID?"**

  * If **True** (role-assignable): only **Global Administrator (GA)** and **Privileged Role Administrator (PRA)** (besides Owners) can add members.
  * If **False**: **GA, PRA, Groups Administrator (GAd), User Administrator (UAd)** (besides Owners) can add members.

  ![image.png](/files/UJJRDefLBczlQTrEQrE0)
* Go to **Roles & administrators** and open each relevant role (GA, PRA, GAd, UAd).
  * In each role -> **Assignments**: list the **users** and **groups** that hold the role.
  * If a **group** holds the role, enumerate its **transitive members** (nested included) to get the **effective users** who can add members.

    ![image.png](/files/E7J8a2nvBuRsRZ4zHPAg)

## Exploitation

### PowerShell

```powershell
# Using Microsoft Graph PowerShell SDK
Connect-MgGraph -Scopes "GroupMember.ReadWrite.All"
$group = Get-MgGroup -Filter "displayName eq 'IT Admins'"
$user  = Get-MgUser -UserId "anyuser@fscloudlab.onmicrosoft.com"
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
```

![Adding A User To A Group Powershell](/files/A53gmdgAaY7gYkKYV8mQ)

### Azure GUI

* Go to **Microsoft Entra ID** -> **Groups**.
* Locate the target group using **Search** or filters, and **open** the group.
* Open **Members** (left menu of the group blade).
* Click **Add members**.
* In the picker dialog:
  * Search for the identity you want to insert.
  * Select the identity and click **Select** (or **Add**) to confirm.

## Mitigation

* Fewer Owners means fewer identities that can add members; this directly reduces lateral-movement and privilege-escalation risk, especially for role-assignable or production-impacting groups.
  * Go to **Microsoft Entra ID** -> **Groups** -> **All groups**.
  * Filter or search to find **groups** that you want to remove owner(s).
  * Open a **target group**.
  * Open **Owners**.
  * **Remove** any **vulnerable/high-risk identities**.
* **Remove unnecessary / vulnerable user assignees from a role**
  * Go to **Microsoft Entra ID** -> **Roles & administrators**.
  * In the search box, type the exact role name (e.g., **Global Administrator**) and **click** the role.
  * In the left menu, **click** **Assignments**.
  * Ensure **Active assignments** is selected.
  * Find the **user** you want to remove.
  * At the right of that row, **click** **... (More options)** -> **Remove assignment**.
  * In the confirmation dialog, **click** **Remove**.

## Detection

Detect "Add member to group" directly in **Audit logs**.

* Go to **Microsoft Entra ID** -> **Audit logs**.
* Click **Category: All** -> select **GroupManagement** -> **Apply**.
* If the **Activity** column is hidden: **Manage view** -> **Edit columns** -> check **Activity**, **Initiated by (actor)**, **Target** -> **Apply**.

![image.png](/files/Vg0rOFeNEHs3XteAVNAt)

## References

* <https://learn.microsoft.com/en-us/cli/azure/ad/group/member?view=azure-cli-latest>
* <https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-log-schemas>
* <https://learn.microsoft.com/en-us/powershell/microsoftgraph/overview>
* <https://learn.microsoft.com/en-us/graph/api/group-post-members>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_add_members.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.