AZ_MG_DANGEROUS_PERMISSION

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

High-Risk Microsoft Graph Permissions

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Various high-risk application permissions

Description

AZ_MG_DANGEROUS_PERMISSION represents Microsoft Graph application permissions that can be abused for privilege escalation, persistence, or data exfiltration.

Tier 0 - Direct (Immediate Privilege Escalation):

Permission

GUID

RoleManagement.ReadWrite.Directory

9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8

RoleAssignmentSchedule.ReadWrite.Directory

dd199f4a-f148-40a4-a2ec-f0069cc799ec

Policy.ReadWrite.ConditionalAccess

01c0a623-fc9b-48e9-b794-0756f8e8f067

DelegatedAdminRelationship.ReadWrite.All

cc13eba4-8cd8-44c6-b4d4-f93237adce58

PrivilegedAccess.ReadWrite.AzureADGroup

2f6817f8-7b12-4f0f-bc18-eeaf60705a9e

PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

41202f2c-f7ab-45be-b001-85c9728b9d69

UserAuthenticationMethod.ReadWrite.All

50483e42-d915-4231-9639-7fdb7fd190e5

User.DeleteRestore.All

eccc023d-eccf-4e7b-9683-8813ab36cecc

User.EnableDisableAccount.All

3011c876-62b7-4ada-afa2-506cbbecc68c

Tier 0 - Indirect (Requires Additional Steps):

Permission

GUID

AppRoleAssignment.ReadWrite.All

06b708a9-e830-4db3-a914-8e69da51d44f

Application.ReadWrite.All

1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9

Application.ReadWrite.OwnedBy

18a4783c-866b-4cc7-a460-3d5e5662c884

Directory.ReadWrite.All

19dbc75e-c2e2-444c-a770-ec69d8559fc7

Group.ReadWrite.All

62a82d76-70ea-41e2-9197-370581804d09

GroupMember.ReadWrite.All

dbaae8cf-10b5-4b86-a4a1-f871c94c6695

User.ReadWrite.All

741f803b-c850-494e-b5df-cde7c675a1ca

User-PasswordProfile.ReadWrite.All

cc117bb9-00cf-4eb8-b580-ea2a878fe8f7

Domain.ReadWrite.All

7e05723c-0bb0-42da-be95-ae9f08a6e53c

Organization.ReadWrite.All

292d869f-3427-49a8-9dab-8c70152b74e9

AdministrativeUnit.ReadWrite.All

5eb59dd3-1da2-4329-8733-9dabdc435916

EntitlementManagement.ReadWrite.All

9acd699f-1e81-4958-b001-93b1d2506e19

Synchronization.ReadWrite.All

9b50c33d-700f-43b1-b2eb-87e89b703581

Policy.ReadWrite.AuthenticationMethod

29c18626-4985-4dcd-85c0-193eef327366

Policy.ReadWrite.PermissionGrant

a402ca1c-2696-4531-972d-6e5ee4aa11ea

PrivilegedAccess.ReadWrite.AzureAD

854d9ab1-6657-4ec8-be45-823027bcd009

PrivilegedAccess.ReadWrite.AzureResources

6f9d5abc-2db6-400b-a267-7de22a40fb87

PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup

618b6020-bca8-4de6-99f6-ef445fa4d857

RoleEligibilitySchedule.ReadWrite.Directory

fee28b28-e1f3-4841-818e-2704dc62245f

RoleManagementPolicy.ReadWrite.AzureADGroup

b38dcc4d-a239-4ed6-aa84-6c65b284f97c

RoleManagementPolicy.ReadWrite.Directory

31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad

SecurityIdentitiesActions.ReadWrite.All

af2bf46f-7bf1-4be3-8bad-e17e279e8462

SignInIdentifier.ReadWrite.All

7fc588a2-ea2d-4d1f-bcf7-33c324b149b8

DeviceManagementConfiguration.ReadWrite.All

9241abd9-d0e6-425a-bd4f-47ba86e767a4

DeviceManagementRBAC.ReadWrite.All

e330c4f0-4170-414e-a55a-2f022ec2b57b

DeviceManagementScripts.ReadWrite.All

9255e99d-faf5-445e-bbf7-cb71482737c4

Group-OnPremisesSyncBehavior.ReadWrite.All

2d9bd318-b883-40be-9df7-63ec4fcdc424

Identification

PowerShell (Microsoft Graph)

Find Service Principals with Dangerous Permissions:

Connect-MgGraph -Scopes "Application.Read.All"

# Tier 0 Direct - Immediate privilege escalation
$tier0Direct = @{
    "cc13eba4-8cd8-44c6-b4d4-f93237adce58" = "DelegatedAdminRelationship.ReadWrite.All"
    "01c0a623-fc9b-48e9-b794-0756f8e8f067" = "Policy.ReadWrite.ConditionalAccess"
    "2f6817f8-7b12-4f0f-bc18-eeaf60705a9e" = "PrivilegedAccess.ReadWrite.AzureADGroup"
    "41202f2c-f7ab-45be-b001-85c9728b9d69" = "PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup"
    "dd199f4a-f148-40a4-a2ec-f0069cc799ec" = "RoleAssignmentSchedule.ReadWrite.Directory"
    "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" = "RoleManagement.ReadWrite.Directory"
    "eccc023d-eccf-4e7b-9683-8813ab36cecc" = "User.DeleteRestore.All"
    "3011c876-62b7-4ada-afa2-506cbbecc68c" = "User.EnableDisableAccount.All"
    "50483e42-d915-4231-9639-7fdb7fd190e5" = "UserAuthenticationMethod.ReadWrite.All"
}

# Tier 0 Indirect - Requires additional steps
$tier0Indirect = @{
    "5eb59dd3-1da2-4329-8733-9dabdc435916" = "AdministrativeUnit.ReadWrite.All"
    "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" = "Application.ReadWrite.All"
    "18a4783c-866b-4cc7-a460-3d5e5662c884" = "Application.ReadWrite.OwnedBy"
    "06b708a9-e830-4db3-a914-8e69da51d44f" = "AppRoleAssignment.ReadWrite.All"
    "9241abd9-d0e6-425a-bd4f-47ba86e767a4" = "DeviceManagementConfiguration.ReadWrite.All"
    "e330c4f0-4170-414e-a55a-2f022ec2b57b" = "DeviceManagementRBAC.ReadWrite.All"
    "9255e99d-faf5-445e-bbf7-cb71482737c4" = "DeviceManagementScripts.ReadWrite.All"
    "19dbc75e-c2e2-444c-a770-ec69d8559fc7" = "Directory.ReadWrite.All"
    "7e05723c-0bb0-42da-be95-ae9f08a6e53c" = "Domain.ReadWrite.All"
    "9acd699f-1e81-4958-b001-93b1d2506e19" = "EntitlementManagement.ReadWrite.All"
    "62a82d76-70ea-41e2-9197-370581804d09" = "Group.ReadWrite.All"
    "dbaae8cf-10b5-4b86-a4a1-f871c94c6695" = "GroupMember.ReadWrite.All"
    "292d869f-3427-49a8-9dab-8c70152b74e9" = "Organization.ReadWrite.All"
    "29c18626-4985-4dcd-85c0-193eef327366" = "Policy.ReadWrite.AuthenticationMethod"
    "a402ca1c-2696-4531-972d-6e5ee4aa11ea" = "Policy.ReadWrite.PermissionGrant"
    "854d9ab1-6657-4ec8-be45-823027bcd009" = "PrivilegedAccess.ReadWrite.AzureAD"
    "6f9d5abc-2db6-400b-a267-7de22a40fb87" = "PrivilegedAccess.ReadWrite.AzureResources"
    "618b6020-bca8-4de6-99f6-ef445fa4d857" = "PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup"
    "fee28b28-e1f3-4841-818e-2704dc62245f" = "RoleEligibilitySchedule.ReadWrite.Directory"
    "b38dcc4d-a239-4ed6-aa84-6c65b284f97c" = "RoleManagementPolicy.ReadWrite.AzureADGroup"
    "31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad" = "RoleManagementPolicy.ReadWrite.Directory"
    "af2bf46f-7bf1-4be3-8bad-e17e279e8462" = "SecurityIdentitiesActions.ReadWrite.All"
    "7fc588a2-ea2d-4d1f-bcf7-33c324b149b8" = "SignInIdentifier.ReadWrite.All"
    "9b50c33d-700f-43b1-b2eb-87e89b703581" = "Synchronization.ReadWrite.All"
    "741f803b-c850-494e-b5df-cde7c675a1ca" = "User.ReadWrite.All"
    "cc117bb9-00cf-4eb8-b580-ea2a878fe8f7" = "User-PasswordProfile.ReadWrite.All"
    "2d9bd318-b883-40be-9df7-63ec4fcdc424" = "Group-OnPremisesSyncBehavior.ReadWrite.All"
}

$allDangerous = $tier0Direct + $tier0Indirect
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object {
    $allDangerous.ContainsKey($_.AppRoleId.ToString())
} | ForEach-Object {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId
    $permId = $_.AppRoleId.ToString()
    $tier = if ($tier0Direct.ContainsKey($permId)) { "Direct" } else { "Indirect" }
    [PSCustomObject]@{
        DisplayName = $sp.DisplayName
        AppId       = $sp.AppId
        Permission  = $allDangerous[$permId]
        Tier        = $tier
    }
} | Sort-Object Tier, Permission | Format-Table -AutoSize

Azure GUI

Microsoft Entra admin center -> Applications -> Enterprise applications
Select application -> Permissions
Review granted API permissions for dangerous permissions listed above

Exploitation

Exploitation depends on which dangerous permission the service principal has. See the specific edge documentation:

Tier 0 Direct:

AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY - Assign any directory role
AZ_MG_GRANT_ROLE - Grant directory roles

Tier 0 Indirect:

AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL - Grant app permissions
AZ_MG_APPLICATION_READWRITE_ALL - Add credentials to apps
AZ_MG_DIRECTORY_READWRITE_ALL - Modify directory objects
AZ_MG_GROUP_READWRITE_ALL - Modify groups
AZ_MG_GROUPMEMBER_READWRITE_ALL - Add/remove group members

Mitigation

Audit and remove unnecessary dangerous permissions from service principals
Apply least privilege: Use read-only permissions where possible
Prioritize Tier 0 Direct: Remove or closely monitor these permissions first
Regular access reviews for applications with dangerous permissions
Alert on new grants of dangerous permissions

Detection

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "AuditLog.Read.All"

Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add app role assignment to service principal'" -Top 50 | ForEach-Object {
    [PSCustomObject]@{
        DateTime = $_.ActivityDateTime
        Activity = $_.ActivityDisplayName
        Actor    = $_.InitiatedBy.App.DisplayName ?? $_.InitiatedBy.User.UserPrincipalName
        Target   = $_.TargetResources[0].DisplayName
    }
} | Format-Table -AutoSize

Azure GUI

Microsoft Entra ID -> Audit logs -> Filter: Add app role assignment to service principal

References

https://learn.microsoft.com/en-us/graph/permissions-reference

PreviousAZ_MG_APPROLEASSIGNMENT_READWRITE_ALL NextAZ_MG_DIRECTORY_READWRITE_ALL

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Exploitation

Mitigation

Detection

PowerShell (Microsoft Graph)

Azure GUI

References