AZ_ADD_OWNER

Summary

FSProtect ACL Alias

AZ_ADD_OWNERS

Azure AD Alias

Add Owners

Affected Object Types

AZ Group

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add group owners via Graph scopes (e.g., Group.ReadWrite.All, Directory.ReadWrite.All) and/or directory roles (e.g., Groups Administrator, User Administrator, Privileged Role Administrator, Global Administrator) or already being a Group Owner

Description

AZ_ADD_OWNERS represents the ability for a principal (user, service principal, or group) to add new owners to a Microsoft Entra (Azure AD) group.

Group owners have full administrative control over that group including the ability to:

Add or remove members and other owners.
Modify group settings and attributes.
If the group is role-assignable (isAssignableToRole = true), indirectly control directory roles and Azure RBAC permissions associated with it.

Therefore, any identity capable of adding owners to sensitive groups can escalate privileges by granting themselves or a controlled identity full control over privileged or role-assignable groups.

Identification

PowerShell

$ErrorActionPreference='Stop'

function Expand-GroupUsers {
    param([string]$GroupId)
    $seenGroups = New-Object System.Collections.Generic.HashSet[string]
    $seenUsers  = New-Object System.Collections.Generic.HashSet[string]
    $users = @()
    $q = New-Object System.Collections.Generic.Queue[object]
    $null = $seenGroups.Add($GroupId)
    $q.Enqueue($GroupId)
    while($q.Count -gt 0){
        $gid = $q.Dequeue()
        try{ $members = Get-AzureADGroupMember -All $true -ObjectId $gid }catch{ continue }
        foreach($m in $members){
            if($m.ObjectType -eq 'User'){
                if($seenUsers.Add($m.ObjectId)){ $users += $m }
            }elseif($m.ObjectType -eq 'Group'){
                if($seenGroups.Add($m.ObjectId)){ $q.Enqueue($m.ObjectId) }
            }
        }
    }
    $users
}

function Get-AddableUsersByRoles {
    $rolesAll = @('Global Administrator','Privileged Role Administrator','Groups Administrator','User Administrator')
    $rolesAssignableOnly = @('Global Administrator','Privileged Role Administrator')
    $targetNames = ($rolesAll + $rolesAssignableOnly) | Select-Object -Unique
    $activeRoles = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -in $targetNames }
    $roleUsers = @{}
    foreach($r in $activeRoles){
        $members = @(Get-AzureADDirectoryRoleMember -ObjectId $r.ObjectId)
        $u = @()
        foreach($m in $members){
            if($m.ObjectType -eq 'User'){
                $u += $m
            }elseif($m.ObjectType -eq 'Group'){
                $u += Expand-GroupUsers -GroupId $m.ObjectId
            }
        }
        $uniq = $u | Group-Object ObjectId | ForEach-Object { $_.Group[0] }
        $roleUsers[$r.DisplayName] = $uniq
    }
    $groups = Get-AzureADMSGroup -All $true
    $rows = @()
    foreach($g in $groups){
        $assignable = $false
        if ($g.PSObject.Properties.Name -contains 'IsAssignableToRole') { $assignable = [bool]$g.IsAssignableToRole }
        elseif ($g.PSObject.Properties.Name -contains 'AdditionalProperties') {
            $v = $g.AdditionalProperties['isAssignableToRole']
            if ($null -ne $v) { $assignable = [bool]$v }
        }
        $eligible = if ($assignable) { $rolesAssignableOnly } else { $rolesAll }
        foreach($rn in $eligible){
            if(-not $roleUsers.ContainsKey($rn)){ continue }
            foreach($u in $roleUsers[$rn]){
                $upn = if($u.PSObject.Properties.Name -contains 'UserPrincipalName'){ $u.UserPrincipalName } else { '' }
                $rows += [pscustomobject]@{
                    GroupDisplayName   = $g.DisplayName
                    GroupId            = $g.Id
                    IsAssignableToRole = $assignable
                    UserDisplayName    = $u.DisplayName
                    UserPrincipalName  = $upn
                    UserId             = $u.ObjectId
                    Reason             = "Tenant role: $rn"
                }
            }
        }
    }
    $rows
}

function Get-AllGroupOwnersAz {
    $pageSize = 999
    $skip = 0
    $allGroups = @()
    do {
        $batch = Get-AzADGroup -First $pageSize -Skip $skip -ErrorAction Stop
        if ($batch) { $allGroups += $batch; $skip += $batch.Count }
    } while ($batch.Count -eq $pageSize)
    $rows = foreach ($g in $allGroups) {
        $owners = $null
        try   { $owners = @( Get-AzADGroupOwner -GroupId $g.Id -ErrorAction Stop ) }
        catch { $owners = @( Get-AzADGroupOwner -GroupObjectId $g.Id -ErrorAction SilentlyContinue ) }
        if (-not $owners -or $owners.Count -eq 0) { continue }
        foreach ($o in $owners) {
            $dtype = $o.AdditionalProperties['@odata.type']
            $otype = if ($dtype) { ($dtype -replace '^#microsoft\.graph\.', '') } else { 'DirectoryObject' }
            [pscustomobject]@{
                GroupDisplayName = $g.DisplayName
                OwnerType        = $otype
                OwnerDisplayName = $o.DisplayName
            }
        }
    }
    $rows
}

$roleRows = Get-AddableUsersByRoles
$ownerRows = Get-AllGroupOwnersAz

"=== USERS WHO CAN ADD OWNERS (BY TENANT ROLES) ==="
$roleRows | Sort-Object GroupDisplayName,UserDisplayName,UserPrincipalName | Format-Table -AutoSize
"=== GROUP OWNERS (AZ) ==="
$ownerRows | Sort-Object GroupDisplayName,OwnerType,OwnerDisplayName | Format-Table -AutoSize

Azure CLI

Check owners and (if you are owner or hold the right role) add a member:

# Add new group owner
az ad group owner add --group "<GroupObjectIdOrName>" --owner-object-id "<ObjectIdOfUserOrSP>"

Azure GUI

Open Groups

Open Microsoft Entra admin center → Groups and select the target group.

Owners

Go to Owners (left menu of the group blade).

Anyone listed as Owner can add other owners.
Click Add owners → search for the identity → click Select.

Properties: Role-assignable check

In Properties, check whether “Is this group assignable to roles in Entra ID?” is enabled.

If True (role-assignable): only Global Administrator (GA) and Privileged Role Administrator (PRA) (besides Owners) can add owners.
If False: GA, PRA, Groups Administrator (GAd), and User Administrator (UAd) (besides Owners) can add owners.

Roles & administrators

Go to Roles & administrators to view who holds the roles above and whether any groups are assigned those roles.

If a group holds one of these roles, enumerate its transitive members (nested included) to identify all effective users who can add owners.

Exploitation

PowerShell Example

Connect-AzAccount

$groupId = (Get-AzADGroup -DisplayName "Sensitive-Admins").Id
$userId  = (Get-AzADUser -UserPrincipalName "[email protected]").Id

New-AzADGroupOwner -GroupId $groupId -OwnerId $userId

Azure GUI

Open Microsoft Entra admin center → Groups.
Select the target group.
Go to Owners (left menu of the group blade).
- Anyone listed as Owner can add other owners.
- Click Add owners → search for the target identity → select it → click Select.

Mitigation

Reduce number of owners

Fewer Owners means fewer identities that can add members; this directly reduces lateral-movement and privilege-escalation risk, especially for role-assignable or production-impacting groups.

Go to Microsoft Entra ID → Groups → All groups.
Filter or search to find groups that you want to remove owner(s).
Open a target group.
Open Owners.
Remove any vulnerable/high-risk identities.

Remove unnecessary / vulnerable user assignees from a role

Go to Microsoft Entra ID → Roles & administrators.
In the search box, type the exact role name (e.g., Global Administrator) and click the role.
In the left menu, click Assignments.
Ensure Active assignments is selected.
Find the user you want to remove.
At the right of that row, click … (More options) → Remove assignment.
In the confirmation dialog, click Remove.

Detection

Monitor Audit Logs for owner addition events.

Go to Microsoft Entra ID → Audit logs.
Filter by Category: GroupManagement.
Look for activities such as Add owner to group or equivalent.
If not visible, use Manage view → Edit columns and enable Activity, Initiated by (actor), and Target columns.

References

https://learn.microsoft.com/en-us/cli/azure/ad/group/owner?view=azure-cli-latest#az-ad-group-owner-add
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-log-schemas
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azadgroupowner?view=azps-14.6.0

PreviousAZ_ADD_MEMBERS NextAZ_ADD_SECRET

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagAzure CLI

hashtagAzure GUI

hashtagOpen Groups

hashtagOwners

hashtagProperties: Role-assignable check

hashtagRoles & administrators

hashtagExploitation

hashtagPowerShell Example

hashtagAzure GUI

hashtagMitigation

hashtagReduce number of owners

hashtagRemove unnecessary / vulnerable user assignees from a role

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell

Azure CLI

Azure GUI

Open Groups

Owners

Properties: Role-assignable check

Roles & administrators

Exploitation

PowerShell Example

Azure GUI

Mitigation

Reduce number of owners

Remove unnecessary / vulnerable user assignees from a role

Detection

References