AZ_ADD_MEMBERS

Summary

FSProtect ACL Alias

AZ_ADD_MEMBERS

Entra ID Alias

Add Members (Group)

Affected Object Types

AZ Group

Exploitation Certainty

Certain

Graph Permission / Role

Directory roles (e.g., Groups Administrator, User Administrator) or being a Group Owner

Description

AZ_ADD_MEMBERS represents the ability for a principal (user, service principal, or group owner) to add members to a Microsoft Entra ID group. By adding themselves (or a controlled identity) into a privileged group, an attacker can:

Inherit Azure RBAC permissions if the group is assigned to subscriptions/resource groups/resources.
Inherit directory roles when the group is role-assignable (isAssignableToRole = true).

Therefore, any identity with add-member capability on sensitive groups can quickly escalate privileges by modifying group membership.

Identification

PowerShell

# Requires: Install-Module Microsoft.Graph -Scope CurrentUser
# Connect-MgGraph -Scopes "Directory.Read.All","Group.Read.All","RoleManagement.Read.Directory"

# Get users in privileged roles that can add group members
$roles = @('Global Administrator','Privileged Role Administrator','Groups Administrator','User Administrator')
$roleMembers = Get-MgDirectoryRole -All | Where-Object { $_.DisplayName -in $roles } | ForEach-Object {
    $role = $_.DisplayName
    Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id -All | ForEach-Object {
        [pscustomobject]@{ Role = $role; Member = $_.AdditionalProperties['displayName']; Id = $_.Id }
    }
}

# Get all group owners
$groupOwners = Get-MgGroup -All | ForEach-Object {
    $g = $_
    Get-MgGroupOwner -GroupId $g.Id -All -ErrorAction SilentlyContinue | ForEach-Object {
        [pscustomobject]@{
            Group = $g.DisplayName
            Owner = $_.AdditionalProperties['displayName']
            Type  = ($_.AdditionalProperties['@odata.type'] -replace '#microsoft.graph.','')
        }
    }
}

"=== PRIVILEGED ROLE MEMBERS ===" 
$roleMembers | Format-Table -AutoSize
"=== GROUP OWNERS ==="
$groupOwners | Sort-Object Group | Format-Table -AutoSize

Azure CLI

Check owners and (if you are owner or hold the right role) add a member:

# List group owners
az ad group owner list --group "<GroupObjectIdOrName>" --query "[].{displayName:displayName,id:id}"

# Add a member (requires owner/appropriate role)
az ad group member add --group "<GroupObjectIdOrName>" --member-id "<ObjectIdOfUserOrSP>"

Azure GUI

Open Microsoft Entra admin center -> Groups -> select the target group.
Go to Owners and list all identities shown there.
- Anyone listed as Owner can add members to this group.
image.png
Go to Properties and check "Is this group assignable to roles in Entra ID?"
- If True (role-assignable): only Global Administrator (GA) and Privileged Role Administrator (PRA) (besides Owners) can add members.
- If False: GA, PRA, Groups Administrator (GAd), User Administrator (UAd) (besides Owners) can add members.
image.png
Go to Roles & administrators and open each relevant role (GA, PRA, GAd, UAd).
- In each role -> Assignments: list the users and groups that hold the role.
- If a group holds the role, enumerate its transitive members (nested included) to get the effective users who can add members.
  image.png

Exploitation

PowerShell

# Using Microsoft Graph PowerShell SDK
Connect-MgGraph -Scopes "GroupMember.ReadWrite.All"
$group = Get-MgGroup -Filter "displayName eq 'IT Admins'"
$user  = Get-MgUser -UserId "[email protected]"
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id

Azure GUI

Go to Microsoft Entra ID -> Groups.
Locate the target group using Search or filters, and open the group.
Open Members (left menu of the group blade).
Click Add members.
In the picker dialog:
- Search for the identity you want to insert.
- Select the identity and click Select (or Add) to confirm.

Mitigation

Fewer Owners means fewer identities that can add members; this directly reduces lateral-movement and privilege-escalation risk, especially for role-assignable or production-impacting groups.
- Go to Microsoft Entra ID -> Groups -> All groups.
- Filter or search to find groups that you want to remove owner(s).
- Open a target group.
- Open Owners.
- Remove any vulnerable/high-risk identities.
Remove unnecessary / vulnerable user assignees from a role
- Go to Microsoft Entra ID -> Roles & administrators.
- In the search box, type the exact role name (e.g., Global Administrator) and click the role.
- In the left menu, click Assignments.
- Ensure Active assignments is selected.
- Find the user you want to remove.
- At the right of that row, click ... (More options) -> Remove assignment.
- In the confirmation dialog, click Remove.

Detection

Detect "Add member to group" directly in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Click Category: All -> select GroupManagement -> Apply.
If the Activity column is hidden: Manage view -> Edit columns -> check Activity, Initiated by (actor), Target -> Apply.

References

PreviousAzure NextAZ_ADD_OWNER

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagAzure CLI

hashtagAzure GUI

hashtagExploitation

hashtagPowerShell

hashtagAzure GUI

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell

Azure CLI

Azure GUI

Exploitation

PowerShell

Azure GUI

Mitigation

Detection

References