# AZ\_MG\_ADD\_MEMBER ## Summary | | | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_MG\_ADD\_MEMBER | | **Entra ID (Azure AD) Alias** | Add Members (Microsoft Graph) | | **Affected Object Types** | AZ Group | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Ability to add group members through **Microsoft Graph** using **delegated scopes** and/or **application permissions (app role assignments)** such as: `GroupMember.ReadWrite.All`, `Group.ReadWrite.All`, `Directory.ReadWrite.All` For **role-assignable** groups, permissions that allow **directory role management operations** (e.g., `RoleManagement.ReadWrite.Directory`) may be required depending on configuration and policy | ## Description `AZ_MG_ADD_MEMBER` represents the ability for a principal to **add new members to a Microsoft Entra group via Microsoft Graph**. By adding themselves (or a controlled identity) as a **Member** of a **sensitive group**, an attacker can: * Gain access to all permissions and privileges assigned to that group. * If the group is **role-assignable** (`isAssignableToRole = true`), indirectly control **directory roles** and any access granted through that group (including downstream Azure RBAC assignments where that group is used). * Access resources protected by group-based Conditional Access policies. Therefore, any identity with add-member capability on sensitive groups can quickly escalate privileges by joining privileged or role-assignable groups. ## Identification ### PowerShell (Microsoft Graph) Enumerate service principals that have **Microsoft Graph application permissions** capable of adding group members. ```powershell Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All" # Get Microsoft Graph service principal and target app role IDs $graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" -Property Id,AppRoles $targetPerms = @("Directory.ReadWrite.All","Group.ReadWrite.All","GroupMember.ReadWrite.All","RoleManagement.ReadWrite.Directory") $targetRoleIds = $graphSp.AppRoles | Where-Object { $_.Value -in $targetPerms } | Select-Object -ExpandProperty Id # Query app role assignments directly from Microsoft Graph SP $assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All # Filter for target permissions and build results $results = $assignments | Where-Object { $_.AppRoleId -in $targetRoleIds } | ForEach-Object { $appRoleId = $_.AppRoleId [PSCustomObject]@{ ServicePrincipalName = $_.PrincipalDisplayName ServicePrincipalId = $_.PrincipalId Permission = ($graphSp.AppRoles | Where-Object { $_.Id -eq $appRoleId }).Value } } $results | Format-Table -AutoSize ``` ### Azure GUI * Open **Microsoft Entra admin center** -> **Identity** -> **Applications** -> **Enterprise applications**. * Select the **application** (service principal) that is in scope. * Open **Permissions** (or **API permissions**). * Under **Microsoft Graph**: * Review **Application permissions** for: * `Directory.ReadWrite.All` * `Group.ReadWrite.All` * `GroupMember.ReadWrite.All` * `RoleManagement.ReadWrite.Directory` * Record every service principal that has any of these permissions, and identify the business owner and justification. ## Exploitation An attacker with permissions to add group members can escalate privileges by adding themselves (or a controlled identity) to sensitive groups. This grants immediate access to all permissions assigned to that group, including Azure RBAC roles, directory roles (if role-assignable), and application access. ### PowerShell Add a user to a target group using Microsoft Graph PowerShell: ```powershell Connect-MgGraph -Scopes "GroupMember.ReadWrite.All","Group.ReadWrite.All","Directory.ReadWrite.All" # Resolve target group and target user $group = Get-MgGroup -Filter "displayName eq 'Example'" $user = Get-MgUser -UserId "Example@contoso.onmicrosoft.com" # Add user to group New-MgGroupMemberByRef -GroupId $group.Id ` -OdataId ("https://graph.microsoft.com/v1.0/directoryObjects/{0}" -f $user.Id) ``` ## Mitigation * **Protect sensitive and role-assignable groups** * Go to **Microsoft Entra admin center** -> **Groups** -> select the **target group**. * For role-assignable groups, ensure only trusted identities are owners. * Consider using **Privileged Identity Management (PIM) for Groups** to require just-in-time activation for membership. * **Reduce Microsoft Graph application permissions** * Go to **Microsoft Entra admin center** -> **Identity** -> **Applications** -> **Enterprise applications**. * Select the **target application** (service principal / managed identity). * Open **Permissions** (or **API permissions**). * Under **Microsoft Graph** -> **Application permissions**, locate any of the following high-impact permissions: * `Directory.ReadWrite.All` * `Group.ReadWrite.All` * `GroupMember.ReadWrite.All` * `RoleManagement.ReadWrite.Directory` * If any are present and not strictly required: * **Remove** the permission, or replace with a **lower-privilege** alternative. * Ensure the change is **admin-consented** appropriately. * **Restrict admin consent for privileged Graph permissions** * Go to **Microsoft Entra admin center** -> **Identity** -> **Enterprise applications** -> **Consent and permissions**. * Review and tighten who can: * Grant **tenant-wide admin consent**. * Approve requests for **application permissions** to Microsoft Graph. * **Minimize service principal owners** * Go to **Microsoft Entra admin center** -> **Identity** -> **Applications** -> **Enterprise applications**. * Select the **target application** -> **Owners**. * **Remove** any unnecessary or high-risk identities and keep the owner set minimal. * **Regular access reviews** * Go to **Identity Governance** -> **Access Reviews**. * Create reviews for sensitive group memberships and privileged application permissions. ## Detection Detect "Add member to group" directly in **Audit logs**. * Go to **Microsoft Entra ID** -> **Audit logs**. * Click **Category: All** -> select **GroupManagement** -> **Apply**. * If the **Activity** column is hidden: **Manage view** -> **Edit columns** -> check **Activity**, **Initiated by (actor)**, **Target** -> **Apply**. ## References * [https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/graph/permissions-reference](https://learn.microsoft.com/en-us/graph/permissions-reference?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/graph/permissions-overview](https://learn.microsoft.com/en-us/graph/permissions-overview?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?view=graph-powershell-1.0](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?view=graph-powershell-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignment?view=graph-powershell-1.0](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignment?view=graph-powershell-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-log-schemas](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-log-schemas?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com) * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_mg_add_member.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.