# AZ\_MG\_DANGEROUS\_PERMISSION

## Summary

|                               |                                           |
| ----------------------------- | ----------------------------------------- |
| **FSProtect ACL Alias**       | AZ\_MG\_DANGEROUS\_PERMISSION             |
| **Entra ID (Azure AD) Alias** | High-Risk Microsoft Graph Permissions     |
| **Affected Object Types**     | Service Principals, Applications          |
| **Exploitation Certainty**    | Certain                                   |
| **Graph Permission / Role**   | Various high-risk application permissions |

## Description

`AZ_MG_DANGEROUS_PERMISSION` represents Microsoft Graph application permissions that can be abused for privilege escalation, persistence, or data exfiltration.

**Tier 0 - Direct (Immediate Privilege Escalation):**

| Permission                                            | GUID                                 |
| ----------------------------------------------------- | ------------------------------------ |
| `RoleManagement.ReadWrite.Directory`                  | 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 |
| `RoleAssignmentSchedule.ReadWrite.Directory`          | dd199f4a-f148-40a4-a2ec-f0069cc799ec |
| `Policy.ReadWrite.ConditionalAccess`                  | 01c0a623-fc9b-48e9-b794-0756f8e8f067 |
| `DelegatedAdminRelationship.ReadWrite.All`            | cc13eba4-8cd8-44c6-b4d4-f93237adce58 |
| `PrivilegedAccess.ReadWrite.AzureADGroup`             | 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e |
| `PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup` | 41202f2c-f7ab-45be-b001-85c9728b9d69 |
| `UserAuthenticationMethod.ReadWrite.All`              | 50483e42-d915-4231-9639-7fdb7fd190e5 |
| `User.DeleteRestore.All`                              | eccc023d-eccf-4e7b-9683-8813ab36cecc |
| `User.EnableDisableAccount.All`                       | 3011c876-62b7-4ada-afa2-506cbbecc68c |

**Tier 0 - Indirect (Requires Additional Steps):**

| Permission                                             | GUID                                 |
| ------------------------------------------------------ | ------------------------------------ |
| `AppRoleAssignment.ReadWrite.All`                      | 06b708a9-e830-4db3-a914-8e69da51d44f |
| `Application.ReadWrite.All`                            | 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 |
| `Application.ReadWrite.OwnedBy`                        | 18a4783c-866b-4cc7-a460-3d5e5662c884 |
| `Directory.ReadWrite.All`                              | 19dbc75e-c2e2-444c-a770-ec69d8559fc7 |
| `Group.ReadWrite.All`                                  | 62a82d76-70ea-41e2-9197-370581804d09 |
| `GroupMember.ReadWrite.All`                            | dbaae8cf-10b5-4b86-a4a1-f871c94c6695 |
| `User.ReadWrite.All`                                   | 741f803b-c850-494e-b5df-cde7c675a1ca |
| `User-PasswordProfile.ReadWrite.All`                   | cc117bb9-00cf-4eb8-b580-ea2a878fe8f7 |
| `Domain.ReadWrite.All`                                 | 7e05723c-0bb0-42da-be95-ae9f08a6e53c |
| `Organization.ReadWrite.All`                           | 292d869f-3427-49a8-9dab-8c70152b74e9 |
| `AdministrativeUnit.ReadWrite.All`                     | 5eb59dd3-1da2-4329-8733-9dabdc435916 |
| `EntitlementManagement.ReadWrite.All`                  | 9acd699f-1e81-4958-b001-93b1d2506e19 |
| `Synchronization.ReadWrite.All`                        | 9b50c33d-700f-43b1-b2eb-87e89b703581 |
| `Policy.ReadWrite.AuthenticationMethod`                | 29c18626-4985-4dcd-85c0-193eef327366 |
| `Policy.ReadWrite.PermissionGrant`                     | a402ca1c-2696-4531-972d-6e5ee4aa11ea |
| `PrivilegedAccess.ReadWrite.AzureAD`                   | 854d9ab1-6657-4ec8-be45-823027bcd009 |
| `PrivilegedAccess.ReadWrite.AzureResources`            | 6f9d5abc-2db6-400b-a267-7de22a40fb87 |
| `PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup` | 618b6020-bca8-4de6-99f6-ef445fa4d857 |
| `RoleEligibilitySchedule.ReadWrite.Directory`          | fee28b28-e1f3-4841-818e-2704dc62245f |
| `RoleManagementPolicy.ReadWrite.AzureADGroup`          | b38dcc4d-a239-4ed6-aa84-6c65b284f97c |
| `RoleManagementPolicy.ReadWrite.Directory`             | 31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad |
| `SecurityIdentitiesActions.ReadWrite.All`              | af2bf46f-7bf1-4be3-8bad-e17e279e8462 |
| `SignInIdentifier.ReadWrite.All`                       | 7fc588a2-ea2d-4d1f-bcf7-33c324b149b8 |
| `DeviceManagementConfiguration.ReadWrite.All`          | 9241abd9-d0e6-425a-bd4f-47ba86e767a4 |
| `DeviceManagementRBAC.ReadWrite.All`                   | e330c4f0-4170-414e-a55a-2f022ec2b57b |
| `DeviceManagementScripts.ReadWrite.All`                | 9255e99d-faf5-445e-bbf7-cb71482737c4 |
| `Group-OnPremisesSyncBehavior.ReadWrite.All`           | 2d9bd318-b883-40be-9df7-63ec4fcdc424 |

## Identification

### PowerShell (Microsoft Graph)

**Find Service Principals with Dangerous Permissions:**

```powershell
Connect-MgGraph -Scopes "Application.Read.All"

# Tier 0 Direct - Immediate privilege escalation
$tier0Direct = @{
    "cc13eba4-8cd8-44c6-b4d4-f93237adce58" = "DelegatedAdminRelationship.ReadWrite.All"
    "01c0a623-fc9b-48e9-b794-0756f8e8f067" = "Policy.ReadWrite.ConditionalAccess"
    "2f6817f8-7b12-4f0f-bc18-eeaf60705a9e" = "PrivilegedAccess.ReadWrite.AzureADGroup"
    "41202f2c-f7ab-45be-b001-85c9728b9d69" = "PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup"
    "dd199f4a-f148-40a4-a2ec-f0069cc799ec" = "RoleAssignmentSchedule.ReadWrite.Directory"
    "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" = "RoleManagement.ReadWrite.Directory"
    "eccc023d-eccf-4e7b-9683-8813ab36cecc" = "User.DeleteRestore.All"
    "3011c876-62b7-4ada-afa2-506cbbecc68c" = "User.EnableDisableAccount.All"
    "50483e42-d915-4231-9639-7fdb7fd190e5" = "UserAuthenticationMethod.ReadWrite.All"
}

# Tier 0 Indirect - Requires additional steps
$tier0Indirect = @{
    "5eb59dd3-1da2-4329-8733-9dabdc435916" = "AdministrativeUnit.ReadWrite.All"
    "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" = "Application.ReadWrite.All"
    "18a4783c-866b-4cc7-a460-3d5e5662c884" = "Application.ReadWrite.OwnedBy"
    "06b708a9-e830-4db3-a914-8e69da51d44f" = "AppRoleAssignment.ReadWrite.All"
    "9241abd9-d0e6-425a-bd4f-47ba86e767a4" = "DeviceManagementConfiguration.ReadWrite.All"
    "e330c4f0-4170-414e-a55a-2f022ec2b57b" = "DeviceManagementRBAC.ReadWrite.All"
    "9255e99d-faf5-445e-bbf7-cb71482737c4" = "DeviceManagementScripts.ReadWrite.All"
    "19dbc75e-c2e2-444c-a770-ec69d8559fc7" = "Directory.ReadWrite.All"
    "7e05723c-0bb0-42da-be95-ae9f08a6e53c" = "Domain.ReadWrite.All"
    "9acd699f-1e81-4958-b001-93b1d2506e19" = "EntitlementManagement.ReadWrite.All"
    "62a82d76-70ea-41e2-9197-370581804d09" = "Group.ReadWrite.All"
    "dbaae8cf-10b5-4b86-a4a1-f871c94c6695" = "GroupMember.ReadWrite.All"
    "292d869f-3427-49a8-9dab-8c70152b74e9" = "Organization.ReadWrite.All"
    "29c18626-4985-4dcd-85c0-193eef327366" = "Policy.ReadWrite.AuthenticationMethod"
    "a402ca1c-2696-4531-972d-6e5ee4aa11ea" = "Policy.ReadWrite.PermissionGrant"
    "854d9ab1-6657-4ec8-be45-823027bcd009" = "PrivilegedAccess.ReadWrite.AzureAD"
    "6f9d5abc-2db6-400b-a267-7de22a40fb87" = "PrivilegedAccess.ReadWrite.AzureResources"
    "618b6020-bca8-4de6-99f6-ef445fa4d857" = "PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup"
    "fee28b28-e1f3-4841-818e-2704dc62245f" = "RoleEligibilitySchedule.ReadWrite.Directory"
    "b38dcc4d-a239-4ed6-aa84-6c65b284f97c" = "RoleManagementPolicy.ReadWrite.AzureADGroup"
    "31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad" = "RoleManagementPolicy.ReadWrite.Directory"
    "af2bf46f-7bf1-4be3-8bad-e17e279e8462" = "SecurityIdentitiesActions.ReadWrite.All"
    "7fc588a2-ea2d-4d1f-bcf7-33c324b149b8" = "SignInIdentifier.ReadWrite.All"
    "9b50c33d-700f-43b1-b2eb-87e89b703581" = "Synchronization.ReadWrite.All"
    "741f803b-c850-494e-b5df-cde7c675a1ca" = "User.ReadWrite.All"
    "cc117bb9-00cf-4eb8-b580-ea2a878fe8f7" = "User-PasswordProfile.ReadWrite.All"
    "2d9bd318-b883-40be-9df7-63ec4fcdc424" = "Group-OnPremisesSyncBehavior.ReadWrite.All"
}

$allDangerous = $tier0Direct + $tier0Indirect
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object {
    $allDangerous.ContainsKey($_.AppRoleId.ToString())
} | ForEach-Object {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId
    $permId = $_.AppRoleId.ToString()
    $tier = if ($tier0Direct.ContainsKey($permId)) { "Direct" } else { "Indirect" }
    [PSCustomObject]@{
        DisplayName = $sp.DisplayName
        AppId       = $sp.AppId
        Permission  = $allDangerous[$permId]
        Tier        = $tier
    }
} | Sort-Object Tier, Permission | Format-Table -AutoSize
```

### Azure GUI

1. **Microsoft Entra admin center** -> **Applications** -> **Enterprise applications**
2. Select application -> **Permissions**
3. Review granted API permissions for dangerous permissions listed above

## Exploitation

Exploitation depends on which dangerous permission the service principal has. See the specific edge documentation:

**Tier 0 Direct:**

* [AZ\_MG\_ROLEMANAGEMENT\_READWRITE\_DIRECTORY](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY/README.md) - Assign any directory role
* [AZ\_MG\_GRANT\_ROLE](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_GRANT_ROLE/README.md) - Grant directory roles

**Tier 0 Indirect:**

* [AZ\_MG\_APPROLEASSIGNMENT\_READWRITE\_ALL](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL/README.md) - Grant app permissions
* [AZ\_MG\_APPLICATION\_READWRITE\_ALL](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_APPLICATION_READWRITE_ALL/README.md) - Add credentials to apps
* [AZ\_MG\_DIRECTORY\_READWRITE\_ALL](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_DIRECTORY_READWRITE_ALL/README.md) - Modify directory objects
* [AZ\_MG\_GROUP\_READWRITE\_ALL](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_GROUP_READWRITE_ALL/README.md) - Modify groups
* [AZ\_MG\_GROUPMEMBER\_READWRITE\_ALL](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_GROUPMEMBER_READWRITE_ALL/README.md) - Add/remove group members

## Mitigation

* **Audit and remove** unnecessary dangerous permissions from service principals
* **Apply least privilege**: Use read-only permissions where possible
* **Prioritize Tier 0 Direct**: Remove or closely monitor these permissions first
* **Regular access reviews** for applications with dangerous permissions
* **Alert on new grants** of dangerous permissions

## Detection

### PowerShell (Microsoft Graph)

```powershell
Connect-MgGraph -Scopes "AuditLog.Read.All"

Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add app role assignment to service principal'" -Top 50 | ForEach-Object {
    [PSCustomObject]@{
        DateTime = $_.ActivityDateTime
        Activity = $_.ActivityDisplayName
        Actor    = $_.InitiatedBy.App.DisplayName ?? $_.InitiatedBy.User.UserPrincipalName
        Target   = $_.TargetResources[0].DisplayName
    }
} | Format-Table -AutoSize
```

### Azure GUI

* **Microsoft Entra ID** -> **Audit logs** -> Filter: **Add app role assignment to service principal**

## References

* <https://learn.microsoft.com/en-us/graph/permissions-reference>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_mg_dangerous_permission.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.