search

AZ_MG_ADD_MEMBER

hashtag
Summary

FSProtect ACL Alias

AZ_MG_ADD_MEMBER

Entra ID (Azure AD) Alias

Add Members (Microsoft Graph)

Affected Object Types

AZ Group

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add group members through Microsoft Graph using delegated scopes and/or application permissions (app role assignments) such as: GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All For role-assignable groups, permissions that allow directory role management operations (e.g., RoleManagement.ReadWrite.Directory) may be required depending on configuration and policy

hashtag
Description

AZ_MG_ADD_OWNER represents the ability for a principal to add new owners to a Microsoft Entra group via Microsoft Graph. By adding themselves (or a controlled identity) as an Owner of a sensitive group, an attacker can:

  • Gain full administrative control over the group (manage members, owners, and group settings).

  • Add or remove other owners to maintain persistence.

  • If the group is role-assignable (isAssignableToRole = true), indirectly control directory roles and any access granted through that group (including downstream Azure RBAC assignments where that group is used).

Therefore, any identity with add-owner capability on sensitive groups can quickly escalate privileges by taking ownership of privileged or role-assignable groups.

hashtag
Identification

hashtag
PowerShell (Microsoft Graph)

hashtag
Azure GUI

  • Open Microsoft Entra admin centerIdentityApplicationsEnterprise applications.

  • Select the application (service principal) that is in scope.

  • Open Permissions (or API permissions).

  • Under Microsoft Graph:

    • Review Application permissions for:

      • Directory.ReadWrite.All

      • Group.ReadWrite.All

      • GroupMember.ReadWrite.All

      • RoleManagement.ReadWrite.Directory

  • Record every service principal that has any of these permissions, and identify the business owner and justification.

hashtag
Exploitation

hashtag
PowerShell

hashtag
Azure GUI

1

hashtag
Step 1 — Open Graph Explorer

Open Microsoft Graph Explorer at: https://developer.microsoft.com/en-us/graph/graph-explorer and sign in with an account that has a scope permitting group write operations (e.g., Group.ReadWrite.All or Directory.ReadWrite.All).

2

hashtag
Step 2 — Retrieve group id

Request:

GET https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'My Group'

3

hashtag
Step 3 — Retrieve member object id

For a user, request:

GET https://graph.microsoft.com/v1.0/users/{userPrincipalName}

4

hashtag
Step 4 — Add the member to the group

POST to:

https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref

Request body:

{ "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{member-object-id}" }

5

hashtag
Step 5 — Confirm membership

GET https://graph.microsoft.com/v1.0/groups/{group-id}/members?$select=id,displayName

(Images referenced in the original content are retained inline where they appeared.)

hashtag
Mitigation

  • Reduce who can grant group membership via Microsoft Graph application permissions

    • Go to Microsoft Entra admin centerIdentityApplicationsEnterprise applications.

    • Select the target application (service principal / managed identity).

    • Open Permissions (or API permissions).

    • Under Microsoft GraphApplication permissions, locate any of the following high-impact permissions:

      • Directory.ReadWrite.All

      • Group.ReadWrite.All

      • GroupMember.ReadWrite.All

      • RoleManagement.ReadWrite.Directory

    • If any are present and not strictly required:

      • Remove the permission, or replace with a lower-privilege

      • Ensure the change is admin-consented appropriately (removal will take effect after consent state is updated).

  • Restrict who can approve (admin consent) privileged Graph application permissions

    • Go to Microsoft Entra admin centerIdentityEnterprise applicationsConsent and permissions.

    • Review and tighten who can:

      • Grant tenant-wide admin consent, and

      • Approve requests for application permissions to Microsoft Graph.

  • Remove unnecessary owners / administrators on the service principal

    • Go to Microsoft Entra admin centerIdentityApplicationsEnterprise applications.

    • Select the target application.

    • Open Owners.

    • Remove any vulnerable/high-risk identities and keep the owner set minimal.

    • Limit administrative access to the application to only the identities responsible for operating it.

hashtag
Detection

Detect “Add member to group” directly in Audit logs.

  • Go to Microsoft Entra IDAudit logs.

  • Click Category: All → select GroupManagementApply.

  • If the Activity column is hidden: Manage viewEdit columns → check Activity, Initiated by (actor), TargetApply.

(Original image references retained inline.)

hashtag
References

  • https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/permissions-reference

  • https://learn.microsoft.com/en-us/graph/permissions-overview

  • https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?view=graph-powershell-1.0

  • https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignment?view=graph-powershell-1.0

  • https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-log-schemas

  • https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

  • https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest

PreviousAZ_IN_GROUPNextAZ_MG_ADD_OWNER

Last updated

Was this helpful?