search

AZ_MG_GRANT_APP_ROLES

hashtag
Summary

FSProtect ACL Alias

AZ_MG_GRANT_APP_ROLES

Entra ID (Azure AD) Alias

Grant App Roles (Microsoft Graph)

Affected Object Types

Service Principals (Enterprise applications), Users, Groups

Exploitation Certainty

Certain

Graph Permission / Role

Ability to create app role assignments via Microsoft Graph using delegated scopes and/or application permissions such as: AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All and/or directory roles such as Application Administrator, Cloud Application Administrator, Privileged Role Administrator, Global Administrator

hashtag
Description

AZ_MG_GRANT_APP_ROLES represents the ability for a principal to grant app roles via Microsoft Graph by creating app role assignments.

App role assignments can be granted to:

  • A service principal (enterprise application).

  • A user.

  • A group.

By granting an app role to a controlled identity, an attacker can:

  • Assign high-privilege application permissions to a service principal (for example, by assigning Microsoft Graph app roles), then authenticate as that app and act with those privileges.

  • Assign roles in line-of-business applications that gate access to sensitive data or administrative features.

  • Establish persistence by granting roles to long-lived identities (service principals / managed identities).

Therefore, any identity that can grant app roles through Microsoft Graph can quickly escalate privileges or expand access by modifying app role assignments.

hashtag
Identification

hashtag
PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions that are sufficient to create app role assignments (for example, AppRoleAssignment.ReadWrite.All or Directory.ReadWrite.All).

hashtag
Azure GUI

1

hashtag
Identify service principals with Graph permissions that can grant app roles

  • Go to Microsoft Entra admin centerEnterprise applications.

  • Open the application (service principal).

  • Go to Permissions / API permissions.

  • Under Microsoft Graph → review Application permissions for:

    • AppRoleAssignment.ReadWrite.All

    • Directory.ReadWrite.All

  • Record the business owner and justification.

2

hashtag
Identify admin roles that can grant app roles

  • Go to Roles & administrators.

  • Review assignments for:

    • Global Administrator

    • Privileged Role Administrator

    • Application Administrator

    • Cloud Application Administrator

  • If a group is assigned, enumerate transitive membership.

3

hashtag
Review existing app role assignments

For a target enterprise app:

  • Open Enterprise applications → select the app → go to Users and groups.

  • Review who has roles assigned inside the application.

hashtag
Exploitation

hashtag
PowerShell (Microsoft Graph)

hashtag
Azure GUI

1

hashtag
Open the app registration

  • Go to Microsoft Entra admin centerIdentityApplicationsApp registrations.

  • Open your app registration (Contoso-Automation).

2

hashtag
Add API permission

  • Select API permissions.

  • Select Add a permission.

  • Select Microsoft Graph.

  • Select Application permissions.

3

hashtag
Select permission

  • Search for Group.Read.All, select it, then choose Add permissions.

4

hashtag
Grant admin consent

  • Back on API permissions, select Grant admin consent for , then confirm.

  • Confirm Status shows Granted for Group.Read.All.

hashtag
Mitigation

  • Remove unnecessary Graph application permissions from service principals:

    • Prioritize removing AppRoleAssignment.ReadWrite.All and Directory.ReadWrite.All when not required.

  • Restrict who can grant admin consent and who can manage enterprise applications.

  • Limit privileged directory roles:

    • Keep Application Administrator and Cloud Application Administrator assignments minimal.

    • Use just-in-time access where possible.

  • Implement change control for enterprise app role assignments:

    • Require approvals for role assignment changes on sensitive applications.

  • Regularly review app role assignments:

    • Review both application permissions (app role assignments to Microsoft Graph) and enterprise app roles (Users and groups assignments).

hashtag
Detection

Monitor Microsoft Entra Audit logs for changes related to app role assignments.

  • Go to Microsoft Entra IDAudit logs.

  • Filter for application / enterprise app management activities.

  • Look for events that indicate role assignment changes, such as:

    • App role assignment added

    • App role assignment granted

    • Application role assigned to user/group/service principal

  • Review:

    • Initiated by (actor)

    • Target resources

    • The role / resource application involved

hashtag
References

  • https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/api/user-post-approleassignments?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/api/group-post-approleassignments?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/api/user-list-approleassignments?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/api/group-list-approleassignments?view=graph-rest-1.0

  • https://learn.microsoft.com/en-us/graph/permissions-reference

  • https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignment?view=graph-powershell-1.0

  • https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/new-mgserviceprincipalapproleassignment?view=graph-powershell-1.0

  • https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

PreviousAZ_MG_DIRECTORY_READWRITE_ALLNextAZ_MG_GRANT_ROLE

Last updated

Was this helpful?