AZ_IN_GROUP

Summary

FSProtect ACL Alias

AZ_IN_GROUP

Entra ID (Azure AD) Alias

Group Member

Affected Object Types

Users, Service Principals, Groups

Exploitation Certainty

Certain

Description

AZ_IN_GROUP represents that a principal (user, service principal, or another group) is a member of a Microsoft Entra (Azure AD) group. Group membership in Entra ID is fundamental to identity management and access control, as groups are used to assign:

Azure RBAC permissions on subscriptions, resource groups, and resources.
Directory roles when the group is role-assignable (isAssignableToRole = true).
Application access through Conditional Access policies and app assignments.
License assignments for Microsoft 365 and other services.

By being a member of a group, a principal inherits all the permissions and privileges assigned to that group. This transitive relationship means that if an attacker compromises an account that is a member of a privileged group, they gain access to all resources and capabilities granted to that group.

Identification

PowerShell

Export all groups and members (PowerShell)

# Connect to Azure
Connect-AzAccount

# Get all groups and their members
$groups = Get-AzADGroup
$results = @()

foreach ($group in $groups) {
    $members = Get-AzADGroupMember -GroupObjectId $group.Id
    foreach ($member in $members) {
        $odataType = $member.AdditionalProperties['@odata.type']
        $memberType = if ($odataType) { ($odataType -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
        $results += [PSCustomObject]@{
            GroupName        = $group.DisplayName
            GroupId          = $group.Id
            MemberName       = $member.DisplayName
            MemberType       = $memberType
            MemberId         = $member.Id
        }
    }
}

$results | Export-Csv -Path ".\AzureGroupMembers.csv" -NoTypeInformation -Encoding UTF8

To check membership for a specific user:

Check groups for a specific user (PowerShell)

# Connect to Azure
Connect-AzAccount

$userUPN = "[email protected]"
$user = Get-AzADUser -UserPrincipalName $userUPN

# Get groups the user is a member of
$userGroups = Get-AzADGroup | Where-Object {
    $members = Get-AzADGroupMember -GroupObjectId $_.Id
    $members.Id -contains $user.Id
}

$userGroups | Select-Object DisplayName, Id | Format-Table -AutoSize

To enumerate transitive group memberships (including nested groups):

Transitive group membership (PowerShell)

function Get-TransitiveGroupMembership {
    param([string]$UserId)
    
    $seenGroups = New-Object System.Collections.Generic.HashSet[string]
    $allGroups = @()
    
    # Get all groups and check membership
    $allAzGroups = Get-AzADGroup
    $directGroups = @()
    
    foreach ($g in $allAzGroups) {
        $members = Get-AzADGroupMember -GroupObjectId $g.Id
        if ($members.Id -contains $UserId) {
            $directGroups += $g
        }
    }
    
    $queue = New-Object System.Collections.Generic.Queue[object]
    foreach ($g in $directGroups) {
        if ($seenGroups.Add($g.Id)) {
            $queue.Enqueue($g)
            $allGroups += [PSCustomObject]@{
                GroupName = $g.DisplayName
                GroupId   = $g.Id
                IsDirect  = $true
            }
        }
    }
    
    while ($queue.Count -gt 0) {
        $currentGroup = $queue.Dequeue()
        # Check if current group is a member of other groups
        foreach ($pg in $allAzGroups) {
            if ($seenGroups.Contains($pg.Id)) { continue }
            $members = Get-AzADGroupMember -GroupObjectId $pg.Id
            if ($members.Id -contains $currentGroup.Id) {
                if ($seenGroups.Add($pg.Id)) {
                    $queue.Enqueue($pg)
                    $allGroups += [PSCustomObject]@{
                        GroupName = $pg.DisplayName
                        GroupId   = $pg.Id
                        IsDirect  = $false
                    }
                }
            }
        }
    }
    
    $allGroups
}

$userUPN = "[email protected]"
$user = Get-AzADUser -UserPrincipalName $userUPN
Get-TransitiveGroupMembership -UserId $user.Id | Format-Table -AutoSize

Azure CLI

List groups and members (Azure CLI)

# List all groups a user is a member of
az ad user get-member-groups --id "<UserObjectIdOrUPN>" --security-enabled-only false

# List all members of a specific group
az ad group member list --group "<GroupObjectIdOrName>" --query "[].{displayName:displayName,id:id,type:['@odata.type']}"

# Check if a user is a member of a specific group
az ad group member check --group "<GroupObjectIdOrName>" --member-id "<UserObjectId>"

Azure GUI

Open Microsoft Entra admin center -> Users → select the target user.
Go to Groups in the left menu to see all group memberships.
Alternatively, go to Groups → select a target group → Members to see all members.

Exploitation

There is no direct exploit path for this edge. AZ_IN_GROUP indicates that a principal is a member of a group, representing a relationship rather than an exploitable permission. The privileges inherited through group membership depend on what permissions are assigned to that group (Azure RBAC roles, directory roles, application access, etc.).

Mitigation

No specific mitigation is required for this edge, as it represents a membership relationship. However, organizations should regularly audit group memberships to ensure only authorized principals are members of sensitive groups.

Detection

Detect group membership changes in Audit logs.

Audit logs — filter for GroupManagement

Go to Microsoft Entra ID -> Audit logs.
Click Category: All -> select GroupManagement -> Apply.
Look for activities:
- Add member to group
- Remove member from group

Monitor for suspicious patterns

Monitor for suspicious membership patterns:

Users added to multiple privileged groups in a short timeframe.
Service principals added to groups with Azure RBAC permissions.
Membership changes outside of business hours.

References

https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadgroup
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadgroupmember
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azaduser
https://learn.microsoft.com/en-us/cli/azure/ad/group/member
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept

PreviousAZ_GLOBAL_ADMIN NextAZ_MG_ADD_MEMBER

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagAzure CLI

hashtagAzure GUI

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagAudit logs — filter for GroupManagement

hashtagMonitor for suspicious patterns

hashtagReferences