AZ_MG_ADD_OWNER

Summary

FSProtect ACL Alias

AZ_MG_ADD_OWNER

Entra ID (Azure AD) Alias

Add Owners (Microsoft Graph)

Affected Object Types

AZ Group

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add group owners through Microsoft Graph using delegated scopes and/or application permissions (app role assignments) such as: Group.ReadWrite.All, Directory.ReadWrite.All (effective capability depends on tenant policy, group type, and any administrative units / scoped admin boundaries)

Description

AZ_MG_ADD_OWNER represents the ability for a principal to add new owners to a Microsoft Entra group via Microsoft Graph.

Group owners have administrative control over the group. They can add or remove members. They can add or remove other owners. They can update group settings and attributes.

If the group is role-assignable (isAssignableToRole = true), controlling ownership of the group can become a high-impact privilege path. This is especially true when the group is used to grant directory roles or Azure RBAC access.

Identification

PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions that are sufficient to manage group ownership (for example, Group.ReadWrite.All or Directory.ReadWrite.All).

Connect-MgGraph -Scopes @(
  "Application.Read.All",
  "Directory.Read.All"
) -NoWelcome

$groupIdOrName = "Example" 

$grp = Get-MgGroup -Filter "displayName eq '$groupIdOrName'" -Property Id,DisplayName -ErrorAction SilentlyContinue | Select-Object -First 1
if (-not $grp) { $grp = Get-MgGroup -GroupId $groupIdOrName -Property Id,DisplayName }

$owners = Get-MgGroupOwner -GroupId $grp.Id -All

$owners | Select-Object `
  @{n="Group";e={$grp.DisplayName}}, `
  @{n="OwnerType";e={$_.AdditionalProperties.'@odata.type'}}, `
  @{n="OwnerId";e={$_.Id}}, `
  @{n="OwnerDisplayName";e={$_.AdditionalProperties.displayName}}, `
  @{n="OwnerUPN";e={$_.AdditionalProperties.userPrincipalName}} |
  Format-Table -AutoSize

Azure GUI

Open Microsoft Entra admin center → Groups.
Open the target group.
Go to Owners.
- Anyone listed as Owner can add other owners.
If the group is privileged or role-assignable, treat owner changes as high risk and require explicit justification.
For application-based paths:
- Go to Enterprise applications → select the application → Permissions / API permissions.
- Under Microsoft Graph → review Application permissions for:
  - Group.ReadWrite.All
  - Directory.ReadWrite.All
- Record every app that has these permissions and confirm business justification.

Exploitation

PowerShell (Microsoft Graph)

Install-Module Microsoft.Graph -Force
Connect-MgGraph -Scopes "Group.ReadWrite.All","User.Read.All"

$groupDisplayName = "Example"
$userUpn          = "[email protected]"

$group = Get-MgGroup -Filter "displayName eq '$groupDisplayName'" -ConsistencyLevel eventual
if (-not $group) { throw "Grup bulunamadı: $groupDisplayName" }

$user = Get-MgUser -UserId $userUpn
if (-not $user) { throw "Kullanıcı bulunamadı: $userUpn" }

$newOwnerRef = @{
  "@odata.id" = "https://graph.microsoft.com/v1.0/users/$($user.Id)"
}

New-MgGroupOwnerByRef -GroupId $group.Id -BodyParameter $newOwnerRef

Write-Host "OK: User $($user.UserPrincipalName) has been added as an owner to the group $($group.DisplayName)."

Azure GUI

Open Microsoft Graph Explorer. Sign in and ensure you have a token that permits group write operations.

Retrieve the group id

GET https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'My Group'

Retrieve the object id of the identity to add

Lookup the user or service principal object id you want to add as owner.

Add owner

Use the official Add owner operation from Microsoft documentation (see # References).

Confirm

Confirm by listing owners:

GET https://graph.microsoft.com/v1.0/groups/{group-id}/owners?$select=id,displayName

Mitigation

Minimize the number of Owners on sensitive groups.
Protect privileged groups with strict operational processes:
- Use just-in-time admin access where available.
- Require change approval for owner modifications.
Reduce Microsoft Graph exposure:
- Remove unnecessary Graph Application permissions from service principals.
- Prioritize removing Directory.ReadWrite.All and Group.ReadWrite.All when not required.
Restrict who can grant tenant-wide admin consent for high-privilege Graph permissions.
Maintain clear ownership and periodic access reviews for enterprise applications with Graph write permissions.

Detection

Monitor Microsoft Entra Audit logs for group owner changes.

Go to Microsoft Entra ID → Audit logs.
Filter Category: GroupManagement.
Look for activities such as Add owner to group.
Ensure the view includes:
- Activity
- Initiated by (actor)
- Target resources

Alert on owner changes for privileged groups and role-assignable groups.

References

PreviousAZ_MG_ADD_MEMBER NextAZ_MG_ADD_SECRET

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagSign in and acquire token

hashtagRetrieve the group id

hashtagRetrieve the object id of the identity to add

hashtagAdd owner

hashtagConfirm

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Exploitation

PowerShell (Microsoft Graph)

Azure GUI

Sign in and acquire token

Retrieve the group id

Retrieve the object id of the identity to add

Add owner

Confirm

Mitigation

Detection

References