# AZ\_MG\_GROUP\_READWRITE\_ALL ## Summary | | | | ----------------------------- | ------------------------------------------- | | **FSProtect ACL Alias** | AZ\_MG\_GROUP\_READWRITE\_ALL | | **Entra ID (Azure AD) Alias** | Group.ReadWrite.All | | **Affected Object Types** | Service Principals, Applications | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Application Permission: Group.ReadWrite.All | ## Description `AZ_MG_GROUP_READWRITE_ALL` grants **full read and write access to all groups** in Microsoft Entra ID. **Capabilities:** * **Create, update, delete groups** (security groups and Microsoft 365 groups) * **Add/remove members** from any group * **Add/remove owners** from any group * **Manage dynamic membership rules** **Limitations:** * **Cannot modify role-assignable groups** (requires `RoleManagement.ReadWrite.Directory`) **Abuse scenarios:** * **Persistence**: Create backdoor groups with elevated permissions * **Lateral movement**: Add accounts to groups with Azure RBAC or application access * **Defense evasion**: Remove security team members from monitoring groups ## Identification ### PowerShell (Microsoft Graph) ```powershell Connect-MgGraph -Scopes "Application.Read.All" $permissionId = "62a82d76-70ea-41e2-9197-370581804d09" # Group.ReadWrite.All $graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object { $_.AppRoleId -eq $permissionId } | ForEach-Object { $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId [PSCustomObject]@{ DisplayName = $sp.DisplayName; AppId = $sp.AppId } } | Format-Table -AutoSize ``` ### Azure GUI 1. **Microsoft Entra admin center** -> **Applications** -> **Enterprise applications** 2. Select application -> **Permissions** -> Look for **Group.ReadWrite.All** ## Exploitation An attacker with `Group.ReadWrite.All` can add accounts to normal security groups and create backdoor groups. For adding members to groups, see [AZ\_MG\_ADD\_MEMBER](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_ADD_MEMBER/README.md). ## Mitigation * **Audit and remove** unnecessary `Group.ReadWrite.All` grants * **Apply least privilege**: * Use `Group.Read.All` if only read access is needed * Use `GroupMember.ReadWrite.All` if only membership management is needed * **Regular access reviews** for applications with this permission ## Detection ### PowerShell (Microsoft Graph) ```powershell Connect-MgGraph -Scopes "AuditLog.Read.All" Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add group' or activityDisplayName eq 'Delete group' or activityDisplayName eq 'Add member to group'" -Top 50 | ForEach-Object { [PSCustomObject]@{ DateTime = $_.ActivityDateTime Activity = $_.ActivityDisplayName Actor = $_.InitiatedBy.App.DisplayName ?? $_.InitiatedBy.User.UserPrincipalName Target = $_.TargetResources[0].DisplayName } } | Format-Table -AutoSize ``` ### Azure GUI * **Microsoft Entra ID** -> **Audit logs** -> Filter: **Add group** / **Delete group** / **Add member to group** ## References * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_mg_group_readwrite_all.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.