AZ_MG_GRANT_ROLE

Summary

FSProtect ACL Alias

AZ_MG_GRANT_ROLE

Entra ID (Azure AD) Alias

Grant Directory Roles (Microsoft Graph)

Affected Object Types

Directory Roles, Users, Groups, Service Principals (including role-assignable groups)

Exploitation Certainty

Certain

Graph Permission / Role

Ability to grant Microsoft Entra directory roles via Microsoft Graph using delegated scopes and/or application permissions such as: RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All (and for PIM-based flows, permissions related to role assignment/eligibility schedules). Delegated usage also requires a supported directory role such as Privileged Role Administrator, Role Management Administrator, or Global Administrator

Description

AZ_MG_GRANT_ROLE represents the ability for a principal to grant Microsoft Entra directory roles via Microsoft Graph.

By granting themselves (or a controlled identity) a privileged directory role, an attacker can:

Gain administrative control over the tenant (for example by assigning high-privilege roles).
Modify identity, access, and security configuration depending on the role granted.
Establish persistence by granting roles to service principals, managed identities, or role-assignable groups.

Therefore, any identity that can grant directory roles through Microsoft Graph can quickly escalate privileges by creating role assignments or privileged role schedule requests.

Identification

PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions that are sufficient to grant directory roles (for example, RoleManagement.ReadWrite.Directory or Directory.ReadWrite.All).

Identify service principals with Graph app permissions (PowerShell)

Install-Module Microsoft.Graph-Scope CurrentUser
Import-Module Microsoft.Graph

$ErrorActionPreference ='Stop'

# Read-only scopes to enumerate enterprise apps and their Graph app role assignments
Connect-MgGraph-Scopes"Application.Read.All","AppRoleAssignment.Read.All","Directory.Read.All"

# Microsoft Graph service principal
$msGraphAppId ="00000003-0000-0000-c000-000000000000"
$graphSp =Get-MgServicePrincipal-Filter"appId eq '$msGraphAppId'"-Property Id,AppRoles

$targetAppPerms =@(
"RoleManagement.ReadWrite.Directory",
"Directory.ReadWrite.All"
)

# Map permission value -> AppRoleId
$roleMap =@{}
$graphSp.AppRoles |
Where-Object {$_.IsEnabled-and$_.Value-in$targetAppPerms } |
ForEach-Object {$roleMap[$_.Value] =$_.Id }

$results =@()

$allSps =Get-MgServicePrincipal-All-Property Id,AppId,DisplayName
foreach ($spin$allSps) {
$assignments =$null
try {$assignments =Get-MgServicePrincipalAppRoleAssignment-ServicePrincipalId$sp.Id-All }
catch {continue }

$hits =$assignments |Where-Object {
$_.ResourceId-eq$graphSp.Id-and ($roleMap.Values-contains$_.AppRoleId)
  }

foreach ($hin$hits) {
$permName = ($roleMap.GetEnumerator() |Where-Object {$_.Value-eq$h.AppRoleId }).Key
$results += [pscustomobject]@{
      ServicePrincipalDisplayName =$sp.DisplayName
      ServicePrincipalId          =$sp.Id
      ServicePrincipalAppId       =$sp.AppId
      GraphApplicationPermission  =$permName
    }
  }
}

"=== SERVICE PRINCIPALS WITH GRAPH APP PERMISSIONS THAT CAN GRANT DIRECTORY ROLES ==="
$results |Sort-Object GraphApplicationPermission, ServicePrincipalDisplayName |Format-Table-AutoSize

Azure GUI

Open Roles & administrators

Go to Microsoft Entra admin center → Roles & administrators.

Inspect a target role

Open a target role (for example: Global Administrator, Privileged Role Administrator, Role Management Administrator).

Review assignments

Open Assignments and identify:

Users assigned to the role.
Groups assigned to the role (enumerate transitive members).
Service principals assigned to the role.

If PIM is used

Review Eligible assignments and Activation workflows for privileged roles.

Exploitation

PowerShell (Microsoft Graph)

Grant a directory role to a service principal (PowerShell)

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory","Application.Read.All"

$clientSpDisplayName = "Contoso-Automation"
$clientSp = Get-MgServicePrincipal -Filter "displayName eq '$clientSpDisplayName'"
if (-not $clientSp) { throw "Service principal not found: $clientSpDisplayName" }

$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Application Administrator'" | Select-Object -First 1
if (-not $roleDefinition) { throw "Role definition not found: Application Administrator" }

$directoryScopeId = "/"

$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $directoryScopeId -PrincipalId $clientSp.Id -RoleDefinitionId $roleDefinition.Id

Write-Host "OK: Granted Entra role 'Application Administrator' to $($clientSp.DisplayName) at tenant scope (/)."

Azure GUI

Open Microsoft Entra admin center

Open Microsoft Entra admin center.

Navigate to Roles & admins

Go to Entra ID → Roles & admins.

Assign the role

Select Application Administrator (click the role name to open it).
Select Add assignments.
Search for and select Contoso-Automation (your application/service principal).
Select Add to complete the assignment.

Mitigation

Minimize membership of privileged roles:
- Keep Global Administrator, Privileged Role Administrator, and Role Management Administrator assignments very small.
Use PIM for privileged roles:
- Prefer eligible assignments and time-bound activations.
- Require MFA and approval for activation where appropriate.
Reduce Microsoft Graph exposure:
- Remove unnecessary Graph application permissions from service principals.
- Prioritize removing RoleManagement.ReadWrite.Directory and Directory.ReadWrite.All when not strictly required.
Enforce change control:
- Require tickets/approvals for role assignment changes.
- Review role assignments regularly.

Detection

Monitor Microsoft Entra Audit logs for directory role assignment changes.

Go to Microsoft Entra ID → Audit logs.
Filter for role management activities.
Investigate events related to:
- Adding members to directory roles.
- Adding eligible assignments (PIM).
- Creating role assignment or eligibility schedule requests.
Record:
- Initiated by (actor)
- Target resources
- Role name and scope information

References

https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleeligibilityschedulerequests?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityschedulerequests?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignmentschedulerequests?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleassignmentschedulerequests?view=graph-rest-1.0
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/get-mgrolemanagementdirectoryroleassignment?view=graph-powershell-1.0
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleassignment?view=graph-powershell-1.0
https://learn.microsoft.com/en-us/graph/permissions-reference
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities

PreviousAZ_MG_GRANT_APP_ROLES NextAZ_MG_GROUP_READWRITE_ALL

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagOpen Roles & administrators

hashtagInspect a target role

hashtagReview assignments

hashtagIf PIM is used

hashtagExploitation

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagOpen Microsoft Entra admin center

hashtagNavigate to Roles & admins

hashtagAssign the role

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Open Roles & administrators

Inspect a target role

Review assignments

If PIM is used

Exploitation

PowerShell (Microsoft Graph)

Azure GUI

Open Microsoft Entra admin center

Navigate to Roles & admins

Assign the role

Mitigation

Detection

References