AZ_MG_ADD_OWNER

Summary

FSProtect ACL Alias

AZ_MG_ADD_OWNER

Entra ID (Azure AD) Alias

Add Owners (Microsoft Graph)

Affected Object Types

AZ Group, AZ App Registration, AZ Service Principal

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add owners through Microsoft Graph using application permissions: Application.ReadWrite.All (App Registrations, Service Principals), ServicePrincipalEndpoint.ReadWrite.All (Service Principals), Group.ReadWrite.All (Groups), Directory.ReadWrite.All (Groups), RoleManagement.ReadWrite.Directory (Groups, App Registrations - requires additional permissions)

Description

AZ_MG_ADD_OWNER represents the ability for a principal to add new owners to Microsoft Entra objects via Microsoft Graph, including:

  • Groups - Owners can add/remove members, add/remove other owners, and update group settings.

  • App Registrations - Owners can manage app credentials, permissions, and configuration.

  • Service Principals - Owners can manage credentials and settings for the enterprise application.

Permissions that grant this capability:

Permission
Target Objects
Notes

Application.ReadWrite.All

App Registrations, Service Principals

Sufficient alone

ServicePrincipalEndpoint.ReadWrite.All

Service Principals

Sufficient alone

Group.ReadWrite.All

Groups (non-role-assignable)

For role-assignable groups, requires RoleManagement.ReadWrite.Directory

Directory.ReadWrite.All

Groups (non-role-assignable)

For role-assignable groups, requires RoleManagement.ReadWrite.Directory

RoleManagement.ReadWrite.Directory

Role-assignable Groups, App Registrations

Must be combined with Group.ReadWrite.All or Directory.ReadWrite.All for groups

If the group is role-assignable (isAssignableToRole = true), adding owners requires both Group.ReadWrite.All (or Directory.ReadWrite.All) AND RoleManagement.ReadWrite.Directory. Controlling ownership of role-assignable groups is a high-impact privilege path, especially when the group is used to grant directory roles or Azure RBAC access.

Identification

PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions capable of adding owners.

To list current owners of a specific group:

Azure GUI

  • Open Microsoft Entra admin center -> Groups -> select the target group -> Owners.

  • For applications: Enterprise applications -> select the app -> Owners.

  • To check permissions: Enterprise applications -> select the app -> Permissions.

    • Under Microsoft Graph -> review Application permissions for:

      • Application.ReadWrite.All

      • ServicePrincipalEndpoint.ReadWrite.All

      • Group.ReadWrite.All

      • Directory.ReadWrite.All

      • RoleManagement.ReadWrite.Directory (requires additional permissions)

Exploitation

An attacker with permissions to add owners can escalate privileges by adding themselves (or a controlled identity) as an owner of sensitive objects. This grants persistent administrative control over the target.

Add Owner to Group

Add Owner to App Registration

Add Owner to Service Principal

Mitigation

  • Protect sensitive objects

    • Minimize the number of owners on sensitive groups, app registrations, and service principals.

    • For role-assignable groups, use Privileged Identity Management (PIM) for Groups to require just-in-time activation.

  • Reduce Microsoft Graph application permissions

    • Go to Microsoft Entra admin center -> Enterprise applications -> select the app -> Permissions.

    • Review and remove unnecessary permissions:

      • Application.ReadWrite.All

      • ServicePrincipalEndpoint.ReadWrite.All

      • Group.ReadWrite.All

      • Directory.ReadWrite.All

      • RoleManagement.ReadWrite.Directory

  • Restrict admin consent

    • Go to Microsoft Entra admin center -> Enterprise applications -> Consent and permissions.

    • Restrict who can grant tenant-wide admin consent for high-privilege Graph permissions.

  • Regular access reviews

    • Go to Identity Governance -> Access Reviews.

    • Review owners of sensitive groups, app registrations, and service principals.

Detection

Monitor Microsoft Entra Audit logs for owner changes.

  • Go to Microsoft Entra ID -> Audit logs.

  • Filter by activities:

    • Add owner to group

    • Add owner to application

    • Add owner to service principal

  • Ensure the view includes:

    • Activity

    • Initiated by (actor)

    • Target resources

Alert on owner changes for:

  • Role-assignable groups.

  • Applications with privileged Graph permissions.

  • Service principals used by automation or infrastructure.

References

Last updated

Was this helpful?