# AZ\_IN\_GROUP ## Summary | | | | ----------------------------- | --------------------------------- | | **FSProtect ACL Alias** | AZ\_IN\_GROUP | | **Entra ID (Azure AD) Alias** | Group Member | | **Affected Object Types** | Users, Service Principals, Groups | | **Exploitation Certainty** | Certain | ## Description `AZ_IN_GROUP` represents that a principal (user, service principal, or another group) **is a member of a Microsoft Entra (Azure AD) group**. Group membership in Entra ID is fundamental to identity management and access control, as groups are used to assign: * **Azure RBAC permissions** on subscriptions, resource groups, and resources. * **Directory roles** when the group is **role-assignable** (`isAssignableToRole = true`). * **Application access** through Conditional Access policies and app assignments. * **License assignments** for Microsoft 365 and other services. By being a member of a group, a principal inherits all the permissions and privileges assigned to that group. This transitive relationship means that if an attacker compromises an account that is a member of a privileged group, they gain access to all resources and capabilities granted to that group. ## Identification ### PowerShell ```powershell Connect-MgGraph -Scopes "Group.Read.All","GroupMember.Read.All" # Get all groups and their members $groups = Get-MgGroup -All $results = foreach ($group in $groups) { $members = Get-MgGroupMember -GroupId $group.Id -All foreach ($member in $members) { [PSCustomObject]@{ GroupName = $group.DisplayName GroupId = $group.Id MemberName = $member.AdditionalProperties.displayName MemberType = ($member.AdditionalProperties.'@odata.type' -replace '#microsoft.graph.', '') MemberId = $member.Id } } } $results | Export-Csv -Path ".\AzureGroupMembers.csv" -NoTypeInformation -Encoding UTF8 ``` To check membership for a specific user: ```powershell Connect-MgGraph -Scopes "User.Read.All","GroupMember.Read.All" $userUPN = "user@contoso.onmicrosoft.com" $user = Get-MgUser -UserId $userUPN # Get groups the user is a member of $userGroups = Get-MgUserMemberOf -UserId $user.Id -All | Where-Object { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.group' } $userGroups | ForEach-Object { [PSCustomObject]@{ DisplayName = $_.AdditionalProperties.displayName Id = $_.Id } } | Format-Table -AutoSize ``` To enumerate transitive group memberships (including nested groups): ```powershell Connect-MgGraph -Scopes "User.Read.All","GroupMember.Read.All" $userUPN = "user@contoso.onmicrosoft.com" $user = Get-MgUser -UserId $userUPN # Get transitive group memberships (includes nested groups) $transitiveGroups = Get-MgUserTransitiveMemberOf -UserId $user.Id -All | Where-Object { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.group' } $transitiveGroups | ForEach-Object { [PSCustomObject]@{ GroupName = $_.AdditionalProperties.displayName GroupId = $_.Id } } | Format-Table -AutoSize ``` ### Azure CLI ```bash # List all groups a user is a member of az ad user get-member-groups --id "" --security-enabled-only false # List all members of a specific group az ad group member list --group "" --query "[].{displayName:displayName,id:id,type:['@odata.type']}" # Check if a user is a member of a specific group az ad group member check --group "" --member-id "" ``` ![azure cli](/files/JYkH3XVZ06GZLW6j4ay6) ### Azure GUI * Open **Microsoft Entra admin center** -> **Users** → select the **target user**. * Go to **Groups** in the left menu to see all group memberships. ![User group membership chrome](/files/lt2teALbPictHrf1ucKq) * Alternatively, go to **Groups** → select a **target group** → **Members** to see all members. ![Group membership](/files/8Dq4JFScLcphXab1wuNb) ## Exploitation There is no direct exploit path for this edge. `AZ_IN_GROUP` indicates that a principal is a member of a group, representing a relationship rather than an exploitable permission. The privileges inherited through group membership depend on what permissions are assigned to that group (Azure RBAC roles, directory roles, application access, etc.). ## Mitigation No specific mitigation is required for this edge, as it represents a membership relationship. However, organizations should regularly audit group memberships to ensure only authorized principals are members of sensitive groups. ## Detection Detect group membership changes in **Audit logs**. * Go to **Microsoft Entra ID** -> **Audit logs**. * Click **Category: All** -> select **GroupManagement** -> **Apply**. * Look for activities: * **Add member to group** * **Remove member from group** ![Audit logs detection](/files/SkU1tGkIkDVb6qBMxzPp) Monitor for suspicious membership patterns: * Users added to multiple privileged groups in a short timeframe. * Service principals added to groups with Azure RBAC permissions. * Membership changes outside of business hours. ## References * * * * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_in_group.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.