AZ_MG_ADD_MEMBER

Summary

FSProtect ACL Alias

AZ_MG_ADD_MEMBER

Entra ID (Azure AD) Alias

Add Members (Microsoft Graph)

Affected Object Types

AZ Group

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add group members through Microsoft Graph using delegated scopes and/or application permissions (app role assignments) such as: GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All For role-assignable groups, permissions that allow directory role management operations (e.g., RoleManagement.ReadWrite.Directory) may be required depending on configuration and policy

Description

AZ_MG_ADD_MEMBER represents the ability for a principal to add new members to a Microsoft Entra group via Microsoft Graph. By adding themselves (or a controlled identity) as a Member of a sensitive group, an attacker can:

Gain access to all permissions and privileges assigned to that group.
If the group is role-assignable (isAssignableToRole = true), indirectly control directory roles and any access granted through that group (including downstream Azure RBAC assignments where that group is used).
Access resources protected by group-based Conditional Access policies.

Therefore, any identity with add-member capability on sensitive groups can quickly escalate privileges by joining privileged or role-assignable groups.

Identification

PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions capable of adding group members.

Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All"

# Get Microsoft Graph service principal and target app role IDs
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" -Property Id,AppRoles
$targetPerms = @("Directory.ReadWrite.All","Group.ReadWrite.All","GroupMember.ReadWrite.All","RoleManagement.ReadWrite.Directory")
$targetRoleIds = $graphSp.AppRoles | Where-Object { $_.Value -in $targetPerms } | Select-Object -ExpandProperty Id

# Query app role assignments directly from Microsoft Graph SP
$assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All

# Filter for target permissions and build results
$results = $assignments | Where-Object { $_.AppRoleId -in $targetRoleIds } | ForEach-Object {
    $appRoleId = $_.AppRoleId
    [PSCustomObject]@{
        ServicePrincipalName = $_.PrincipalDisplayName
        ServicePrincipalId   = $_.PrincipalId
        Permission           = ($graphSp.AppRoles | Where-Object { $_.Id -eq $appRoleId }).Value
    }
}

$results | Format-Table -AutoSize

Azure GUI

Open Microsoft Entra admin center -> Identity -> Applications -> Enterprise applications.
Select the application (service principal) that is in scope.
Open Permissions (or API permissions).
Under Microsoft Graph:
- Review Application permissions for:
  - Directory.ReadWrite.All
  - Group.ReadWrite.All
  - GroupMember.ReadWrite.All
  - RoleManagement.ReadWrite.Directory
Record every service principal that has any of these permissions, and identify the business owner and justification.

Exploitation

An attacker with permissions to add group members can escalate privileges by adding themselves (or a controlled identity) to sensitive groups. This grants immediate access to all permissions assigned to that group, including Azure RBAC roles, directory roles (if role-assignable), and application access.

PowerShell

Add a user to a target group using Microsoft Graph PowerShell:

Connect-MgGraph -Scopes "GroupMember.ReadWrite.All","Group.ReadWrite.All","Directory.ReadWrite.All"

# Resolve target group and target user
$group = Get-MgGroup -Filter "displayName eq 'Example'"
$user  = Get-MgUser -UserId "[email protected]"

# Add user to group
New-MgGroupMemberByRef -GroupId $group.Id `
    -OdataId ("https://graph.microsoft.com/v1.0/directoryObjects/{0}" -f $user.Id)

Mitigation

Protect sensitive and role-assignable groups
- Go to Microsoft Entra admin center -> Groups -> select the target group.
- For role-assignable groups, ensure only trusted identities are owners.
- Consider using Privileged Identity Management (PIM) for Groups to require just-in-time activation for membership.
Reduce Microsoft Graph application permissions
- Go to Microsoft Entra admin center -> Identity -> Applications -> Enterprise applications.
- Select the target application (service principal / managed identity).
- Open Permissions (or API permissions).
- Under Microsoft Graph -> Application permissions, locate any of the following high-impact permissions:
  - Directory.ReadWrite.All
  - Group.ReadWrite.All
  - GroupMember.ReadWrite.All
  - RoleManagement.ReadWrite.Directory
- If any are present and not strictly required:
  - Remove the permission, or replace with a lower-privilege alternative.
  - Ensure the change is admin-consented appropriately.
Restrict admin consent for privileged Graph permissions
- Go to Microsoft Entra admin center -> Identity -> Enterprise applications -> Consent and permissions.
- Review and tighten who can:
  - Grant tenant-wide admin consent.
  - Approve requests for application permissions to Microsoft Graph.
Minimize service principal owners
- Go to Microsoft Entra admin center -> Identity -> Applications -> Enterprise applications.
- Select the target application -> Owners.
- Remove any unnecessary or high-risk identities and keep the owner set minimal.
Regular access reviews
- Go to Identity Governance -> Access Reviews.
- Create reviews for sensitive group memberships and privileged application permissions.

Detection

Detect "Add member to group" directly in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Click Category: All -> select GroupManagement -> Apply.
If the Activity column is hidden: Manage view -> Edit columns -> check Activity, Initiated by (actor), Target -> Apply.

References

PreviousAZ_IN_GROUP NextAZ_MG_ADD_OWNER

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagPowerShell

hashtagMitigation

hashtagDetection

hashtagReferences