# AZ\_MG\_GRANT\_APP\_ROLES ## Summary | | | | ----------------------------- | ------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_MG\_GRANT\_APP\_ROLES | | **Entra ID (Azure AD) Alias** | Grant App Roles (Microsoft Graph) | | **Affected Object Types** | Service Principals (Enterprise applications), Users, Groups | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Application Permission: `AppRoleAssignment.ReadWrite.All` or `RoleManagement.ReadWrite.Directory` | ## Description `AZ_MG_GRANT_APP_ROLES` represents the ability for a principal to **grant app roles via Microsoft Graph** by creating **app role assignments**. App role assignments can be granted to: * A **service principal** (enterprise application). * A **user**. * A **group**. By granting an app role to a controlled identity, an attacker can: * Assign **high-privilege application permissions** to a service principal (for example, by assigning Microsoft Graph app roles), then authenticate as that app and act with those privileges. * Assign roles in **line-of-business applications** that gate access to sensitive data or administrative features. * Establish **persistence** by granting roles to long-lived identities (service principals / managed identities). Therefore, any identity that can grant app roles through Microsoft Graph can quickly escalate privileges or expand access by modifying app role assignments. ## Identification ### PowerShell (Microsoft Graph) Enumerate service principals that have **Microsoft Graph application permissions** that can grant app roles (`AppRoleAssignment.ReadWrite.All` or `RoleManagement.ReadWrite.Directory`). ```powershell Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph.Applications Connect-MgGraph -Scopes "Application.Read.All", "AppRoleAssignment.Read.All" $graphAppId = "00000003-0000-0000-c000-000000000000" $graphSp = Get-MgServicePrincipal -Filter "appId eq '$graphAppId'" if (-not $graphSp) { throw "Microsoft Graph service principal not found." } # Permission IDs that can grant app roles $targetPermissions = @{ "AppRoleAssignment.ReadWrite.All" = "06b708a9-e830-4db3-a914-8e69da51d44f" "RoleManagement.ReadWrite.Directory" = "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" } # Get all app role assignments granted TO Microsoft Graph $allAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All # Filter for target permissions $matchingAssignments = $allAssignments | Where-Object { $targetPermissions.Values -contains $_.AppRoleId } $results = $matchingAssignments | ForEach-Object { $assignment = $_ $permName = ($targetPermissions.GetEnumerator() | Where-Object { $_.Value -eq $assignment.AppRoleId }).Key [PSCustomObject]@{ ServicePrincipalDisplayName = $assignment.PrincipalDisplayName ServicePrincipalId = $assignment.PrincipalId GraphApplicationPermission = $permName AssignedDateTime = $assignment.CreatedDateTime } } Write-Host "Found $($results.Count) service principals with permissions that can grant app roles" $results | Sort-Object GraphApplicationPermission, ServicePrincipalDisplayName | Format-Table -AutoSize ``` ### Azure GUI 1. **Identify service principals with Graph permissions that can grant app roles** * Go to **Microsoft Entra admin center** → **Enterprise applications**. * Open the application (service principal). * Go to **Permissions / API permissions**. * Under **Microsoft Graph** → review **Application permissions** for: * `AppRoleAssignment.ReadWrite.All` * `RoleManagement.ReadWrite.Directory` * Record the business owner and justification. 2. **Identify admin roles that can grant app roles** * Go to **Roles & administrators**. * Review assignments for: * **Global Administrator** * **Privileged Role Administrator** * **Application Administrator** * **Cloud Application Administrator** * If a **group** is assigned, enumerate transitive membership. 3. **Review existing app role assignments** * For a target enterprise app: * Open **Enterprise applications** → select the app → go to **Users and groups**. * Review who has roles assigned inside the application. ## Exploitation > **Related Attack Paths:** > > * [AZ\_MG\_APPROLEASSIGNMENT\_READWRITE\_ALL](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL/README.md) – Directly grants the `AppRoleAssignment.ReadWrite.All` permission enabling app role assignment creation. > * [AZ\_MG\_ROLEMANAGEMENT\_READWRITE\_DIRECTORY](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY/README.md) – Allows assigning directory roles (e.g., Global Administrator) to escalate privileges after granting app roles. ### Azure GUI 1. Go to **Microsoft Entra admin center** → **Identity** → **Applications** → **App registrations**. 2. Open your app registration (**Contoso-Automation**). 3. Select **API permissions**. 4. Select **Add a permission**. 5. Select **Microsoft Graph**. 6. Select **Application permissions**. 7. Search for **Group.Read.All**, select it, then choose **Add permissions**. 8. Back on **API permissions**, select **Grant admin consent for** , then confirm. 9. Confirm **Status** shows **Granted** for `Group.Read.All`. ## Mitigation * Remove unnecessary Graph application permissions from service principals: * Prioritize removing `AppRoleAssignment.ReadWrite.All` and `RoleManagement.ReadWrite.Directory` when not required. * Restrict who can grant admin consent and who can manage enterprise applications. * Limit privileged directory roles: * Keep **Application Administrator** and **Cloud Application Administrator** assignments minimal. * Use just-in-time access where possible. * Implement change control for enterprise app role assignments: * Require approvals for role assignment changes on sensitive applications. * Regularly review app role assignments: * Review both **application permissions** (app role assignments to Microsoft Graph) and **enterprise app roles** (Users and groups assignments). ## Detection Monitor Microsoft Entra **Audit logs** for changes related to app role assignments. * Go to **Microsoft Entra ID** → **Audit logs**. * Filter for application / enterprise app management activities. * Look for events that indicate role assignment changes, such as: * App role assignment added * App role assignment granted * Application role assigned to user/group/service principal * Review: * **Initiated by (actor)** * **Target resources** * The role / resource application involved ## References * * * * * * * [https://learn.microsoft.com/en-us/graph/permissions-reference](https://learn.microsoft.com/en-us/graph/permissions-reference?utm_source=chatgpt.com) * * * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_mg_grant_app_roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.