AZ_MG_GRANT_APP_ROLES

Summary

Description

AZ_MG_GRANT_APP_ROLES represents the ability for a principal to grant app roles via Microsoft Graph by creating app role assignments.

App role assignments can be granted to:

• A service principal (enterprise application).

• A user.

• A group.

By granting an app role to a controlled identity, an attacker can:

• Assign high-privilege application permissions to a service principal (for example, by assigning Microsoft Graph app roles), then authenticate as that app and act with those privileges.

• Assign roles in line-of-business applications that gate access to sensitive data or administrative features.

• Establish persistence by granting roles to long-lived identities (service principals / managed identities).

Therefore, any identity that can grant app roles through Microsoft Graph can quickly escalate privileges or expand access by modifying app role assignments.

Identification

PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions that can grant app roles (AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory).

Azure GUI

1. Identify service principals with Graph permissions that can grant app roles

   • Go to Microsoft Entra admin center → Enterprise applications.

   • Open the application (service principal).

   • Go to Permissions / API permissions.

   • Under Microsoft Graph → review Application permissions for:

     • AppRoleAssignment.ReadWrite.All

     • RoleManagement.ReadWrite.Directory

   • Record the business owner and justification.

2. Identify admin roles that can grant app roles

   • Go to Roles & administrators.

   • Review assignments for:

     • Global Administrator

     • Privileged Role Administrator

     • Application Administrator

     • Cloud Application Administrator

   • If a group is assigned, enumerate transitive membership.

3. Review existing app role assignments

   • For a target enterprise app:

     • Open Enterprise applications → select the app → go to Users and groups.

     • Review who has roles assigned inside the application.

Exploitation

Related Attack Paths:

• AZ_MG_APPROLEASSIGNMENT_READWRITE_ALL – Directly grants the AppRoleAssignment.ReadWrite.All permission enabling app role assignment creation.

• AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY – Allows assigning directory roles (e.g., Global Administrator) to escalate privileges after granting app roles.

Azure GUI

1. Go to Microsoft Entra admin center → Identity → Applications → App registrations.

2. Open your app registration (Contoso-Automation).

3. Select API permissions.

4. Select Add a permission.

5. Select Microsoft Graph.

6. Select Application permissions.

7. Search for Group.Read.All, select it, then choose Add permissions.

8. Back on API permissions, select Grant admin consent for , then confirm.

9. Confirm Status shows Granted for Group.Read.All.

Mitigation

• Remove unnecessary Graph application permissions from service principals:

  • Prioritize removing AppRoleAssignment.ReadWrite.All and RoleManagement.ReadWrite.Directory when not required.

• Restrict who can grant admin consent and who can manage enterprise applications.

• Limit privileged directory roles:

  • Keep Application Administrator and Cloud Application Administrator assignments minimal.

  • Use just-in-time access where possible.

• Implement change control for enterprise app role assignments:

  • Require approvals for role assignment changes on sensitive applications.

• Regularly review app role assignments:

  • Review both application permissions (app role assignments to Microsoft Graph) and enterprise app roles (Users and groups assignments).

Detection

Monitor Microsoft Entra Audit logs for changes related to app role assignments.

• Go to Microsoft Entra ID → Audit logs.

• Filter for application / enterprise app management activities.

• Look for events that indicate role assignment changes, such as:

  • App role assignment added

  • App role assignment granted

  • Application role assigned to user/group/service principal

• Review:

  • Initiated by (actor)

  • Target resources

  • The role / resource application involved

References

• https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/user-post-approleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/group-post-approleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/user-list-approleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/group-list-approleassignments?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/permissions-reference

• https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignment?view=graph-powershell-1.0

• https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/new-mgserviceprincipalapproleassignment?view=graph-powershell-1.0

• https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities