AZ_MG_GROUP_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Group.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: Group.ReadWrite.All

Description

AZ_MG_GROUP_READWRITE_ALL grants full read and write access to all groups in Microsoft Entra ID.

Capabilities:

Create, update, delete groups (security groups and Microsoft 365 groups)
Add/remove members from any group
Add/remove owners from any group
Manage dynamic membership rules

Limitations:

Cannot modify role-assignable groups (requires RoleManagement.ReadWrite.Directory)

Abuse scenarios:

Persistence: Create backdoor groups with elevated permissions
Lateral movement: Add accounts to groups with Azure RBAC or application access
Defense evasion: Remove security team members from monitoring groups

Identification

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "Application.Read.All"

$permissionId = "62a82d76-70ea-41e2-9197-370581804d09"  # Group.ReadWrite.All
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object { $_.AppRoleId -eq $permissionId } | ForEach-Object {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId
    [PSCustomObject]@{ DisplayName = $sp.DisplayName; AppId = $sp.AppId }
} | Format-Table -AutoSize

Azure GUI

Microsoft Entra admin center -> Applications -> Enterprise applications
Select application -> Permissions -> Look for Group.ReadWrite.All

Exploitation

An attacker with Group.ReadWrite.All can add accounts to normal security groups and create backdoor groups.

For adding members to groups, see AZ_MG_ADD_MEMBER.

Mitigation

Audit and remove unnecessary Group.ReadWrite.All grants
Apply least privilege:
- Use Group.Read.All if only read access is needed
- Use GroupMember.ReadWrite.All if only membership management is needed
Regular access reviews for applications with this permission

Detection

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "AuditLog.Read.All"

Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add group' or activityDisplayName eq 'Delete group' or activityDisplayName eq 'Add member to group'" -Top 50 | ForEach-Object {
    [PSCustomObject]@{
        DateTime = $_.ActivityDateTime
        Activity = $_.ActivityDisplayName
        Actor    = $_.InitiatedBy.App.DisplayName ?? $_.InitiatedBy.User.UserPrincipalName
        Target   = $_.TargetResources[0].DisplayName
    }
} | Format-Table -AutoSize

Azure GUI

Microsoft Entra ID -> Audit logs -> Filter: Add group / Delete group / Add member to group

References

https://learn.microsoft.com/en-us/graph/permissions-reference
https://learn.microsoft.com/en-us/graph/api/group-post-groups
https://learn.microsoft.com/en-us/graph/api/group-post-members

PreviousAZ_MG_GRANT_ROLE NextAZ_MG_GROUPMEMBER_READWRITE_ALL

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Exploitation

Mitigation

Detection

PowerShell (Microsoft Graph)

Azure GUI

References