AZ_MG_DANGEROUS_PERMISSION

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

High-Risk Microsoft Graph Permissions

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Various high-risk application permissions

Description

AZ_MG_DANGEROUS_PERMISSION represents a category of Microsoft Graph application permissions that grant significant access to tenant resources and can be abused for privilege escalation, persistence, or data exfiltration. These permissions are considered "dangerous" because they allow actions that could compromise tenant security if the service principal is compromised.

High-Risk Permissions Include:

Permission

GUID

Risk

RoleManagement.ReadWrite.Directory

9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8

Assign any directory role to any principal

AppRoleAssignment.ReadWrite.All

06b708a9-e830-4db3-a914-8e69da51d44f

Grant any app permission to any service principal

Application.ReadWrite.All

1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9

Modify any application, add credentials

Directory.ReadWrite.All

19dbc75e-c2e2-444c-a770-ec69d8559fc7

Read/write all directory objects

Group.ReadWrite.All

62a82d76-70ea-41e2-9197-370581804d09

Modify any group membership

GroupMember.ReadWrite.All

dbaae8cf-10b5-4b86-a4a1-f871c94c6695

Add/remove members from any group

User.ReadWrite.All

741f803b-c850-494e-b5df-cde7c675a1ca

Modify any user account

ServicePrincipalEndpoint.ReadWrite.All

89c8469c-83ad-45f7-8ff2-6e3d4285709b

Modify service principal endpoints

Policy.ReadWrite.ConditionalAccess

ad9c9c04-1cf4-4e97-9fdb-7de1d1ef1635

Modify conditional access policies

Mail.ReadWrite

e2a3a72e-5f79-4c64-b1b1-878b674786c9

Read/write all mailboxes

Abuse Scenarios:

Privilege Escalation: Use RoleManagement.ReadWrite.Directory to assign Global Administrator role.
Persistence: Use Application.ReadWrite.All to add backdoor credentials to applications.
Permission Escalation: Use AppRoleAssignment.ReadWrite.All to grant additional permissions.
Lateral Movement: Use Group.ReadWrite.All to add accounts to privileged groups.
Policy Bypass: Use Policy.ReadWrite.ConditionalAccess to weaken security policies.

Identification

Find Service Principals with Dangerous Permissions

find-dangerous-permissions.ps1

Connect-AzAccount

# Define dangerous permission GUIDs
$dangerousPermissions = @{
    "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" = "RoleManagement.ReadWrite.Directory"
    "06b708a9-e830-4db3-a914-8e69da51d44f" = "AppRoleAssignment.ReadWrite.All"
    "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" = "Application.ReadWrite.All"
    "19dbc75e-c2e2-444c-a770-ec69d8559fc7" = "Directory.ReadWrite.All"
    "62a82d76-70ea-41e2-9197-370581804d09" = "Group.ReadWrite.All"
    "dbaae8cf-10b5-4b86-a4a1-f871c94c6695" = "GroupMember.ReadWrite.All"
    "741f803b-c850-494e-b5df-cde7c675a1ca" = "User.ReadWrite.All"
    "89c8469c-83ad-45f7-8ff2-6e3d4285709b" = "ServicePrincipalEndpoint.ReadWrite.All"
    "ad9c9c04-1cf4-4e97-9fdb-7de1d1ef1635" = "Policy.ReadWrite.ConditionalAccess"
    "e2a3a72e-5f79-4c64-b1b1-878b674786c9" = "Mail.ReadWrite"
}

# Get all service principals with app role assignments
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

# Filter for dangerous permissions
$results = @()

foreach ($sp in $allServicePrincipals) {
    foreach ($assignment in $sp.appRoleAssignments) {
        $roleId = $assignment.appRoleId
        if ($dangerousPermissions.ContainsKey($roleId)) {
            $results += [PSCustomObject]@{
                ServicePrincipalName = $sp.displayName
                ServicePrincipalId   = $sp.id
                AppId                = $sp.appId
                PermissionName       = $dangerousPermissions[$roleId]
                PermissionId         = $roleId
                ResourceId           = $assignment.resourceId
                AssignedDateTime     = $assignment.createdDateTime
                RiskLevel            = "High"
            }
        }
    }
}

Write-Host "`nFound $($results.Count) dangerous permission assignments"
$results | Export-Csv -Path ".\DangerousPermissions_ServicePrincipals.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Summarize Dangerous Permissions by Service Principal

summarize-dangerous-permissions.ps1

# Group results by service principal to see which apps have multiple dangerous permissions
$summary = $results | Group-Object ServicePrincipalName | ForEach-Object {
    [PSCustomObject]@{
        ServicePrincipalName = $_.Name
        DangerousPermCount   = $_.Count
        Permissions          = ($_.Group.PermissionName | Sort-Object -Unique) -join ", "
        ServicePrincipalId   = $_.Group[0].ServicePrincipalId
    }
} | Sort-Object DangerousPermCount -Descending

$summary | Format-Table -AutoSize -Wrap

Exploitation

An attacker with access to a service principal holding dangerous permissions can perform privilege escalation attacks depending on which permissions are available. The specific exploitation technique depends on which dangerous permission the service principal has.

RoleManagement.ReadWrite.Directory

If the service principal has RoleManagement.ReadWrite.Directory, the attacker can assign any directory role to any principal, including Global Administrator.

For detailed exploitation techniques and attack scenarios, see AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY.

AppRoleAssignment.ReadWrite.All

If the service principal has AppRoleAssignment.ReadWrite.All, the attacker can grant any application permission to any service principal, including granting themselves additional dangerous permissions.

For detailed exploitation techniques and attack scenarios, see AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL.

Application.ReadWrite.All

If the service principal has Application.ReadWrite.All, the attacker can add credentials to any application and authenticate as that application's service principal.

For detailed exploitation techniques and attack scenarios, see AZ_MG_APPLICATION_READWRITE_ALL.

Directory.ReadWrite.All

If the service principal has Directory.ReadWrite.All, the attacker can modify directory objects including users, groups, and organizational settings.

For detailed exploitation techniques and attack scenarios, see AZ_MG_DIRECTORY_READWRITE_ALL.

Group.ReadWrite.All / GroupMember.ReadWrite.All

If the service principal has Group.ReadWrite.All or GroupMember.ReadWrite.All, the attacker can add themselves to privileged groups.

For detailed exploitation techniques and attack scenarios, see AZ_MG_GROUP_READWRITE_ALL or AZ_MG_GROUPMEMBER_READWRITE_ALL.

ServicePrincipalEndpoint.ReadWrite.All

If the service principal has ServicePrincipalEndpoint.ReadWrite.All, the attacker can modify service principal endpoints to intercept tokens.

For detailed exploitation techniques and attack scenarios, see AZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL.

Mitigation

Audit all dangerous permissions and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select application -> API permissions.
- Review and remove high-risk permissions that are not required.
Apply least privilege: Use specific permissions instead of broad ones:
- Use User.Read.All instead of User.ReadWrite.All if write access is not needed.
- Use Group.Read.All instead of Group.ReadWrite.All for read-only scenarios.
- Avoid RoleManagement.ReadWrite.Directory and AppRoleAssignment.ReadWrite.All unless absolutely necessary.
Implement Access Reviews for applications with high-privilege permissions:
- Go to Identity Governance -> Access Reviews -> New access review.
- Review applications with dangerous Graph permissions quarterly.
Require approval workflows for granting high-risk permissions.
Monitor permission grants and alert on new dangerous permission assignments.
Use Workload Identity Protection features to detect risky service principal behavior.

Detection

Detect permission grants and suspicious activity in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add app role assignment to service principal
- Add member to role
- Consent to application

Monitor for:

New grants of high-risk permissions to service principals.
Service principals granting permissions to themselves.
Permission grants outside of change management windows.
Applications with multiple dangerous permissions.

References

PreviousAZ_MG_APPROLEASSIGNMENT_READWRITE_ALL NextAZ_MG_DIRECTORY_READWRITE_ALL

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagFind Service Principals with Dangerous Permissions

hashtagSummarize Dangerous Permissions by Service Principal

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagReferences