AZ_MG_GROUPMEMBER_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

GroupMember.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: GroupMember.ReadWrite.All

Description

AZ_MG_GROUPMEMBER_READWRITE_ALL grants read and write access to group memberships in Microsoft Entra ID.

Capabilities:

Add/remove members to security groups and Microsoft 365 groups
Read group memberships and properties

Limitations:

Cannot modify role-assignable groups (requires RoleManagement.ReadWrite.Directory)
Cannot create/delete groups (requires Group.ReadWrite.All)

Abuse scenarios:

Lateral movement: Add accounts to groups with Azure RBAC or application access
Defense evasion: Remove security team members from monitoring groups

Identification

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "Application.Read.All"

$permissionId = "dbaae8cf-10b5-4b86-a4a1-f871c94c6695"  # GroupMember.ReadWrite.All
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object { $_.AppRoleId -eq $permissionId } | ForEach-Object {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId
    [PSCustomObject]@{ DisplayName = $sp.DisplayName; AppId = $sp.AppId }
} | Format-Table -AutoSize

Azure GUI

Microsoft Entra admin center -> Applications -> Enterprise applications
Select application -> Permissions -> Look for GroupMember.ReadWrite.All

Exploitation

An attacker with GroupMember.ReadWrite.All can add accounts to normal security groups (not role-assignable groups).

For exploitation details, see AZ_MG_ADD_MEMBER.

Mitigation

Audit and remove unnecessary GroupMember.ReadWrite.All grants
Apply least privilege: Use GroupMember.Read.All if only read access is needed
Regular access reviews for applications with this permission

Detection

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "AuditLog.Read.All"

Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add member to group' or activityDisplayName eq 'Remove member from group'" -Top 50 | ForEach-Object {
    [PSCustomObject]@{
        DateTime = $_.ActivityDateTime
        Activity = $_.ActivityDisplayName
        Actor    = $_.InitiatedBy.App.DisplayName ?? $_.InitiatedBy.User.UserPrincipalName
        Target   = $_.TargetResources[0].DisplayName
    }
} | Format-Table -AutoSize

Azure GUI

Microsoft Entra ID -> Audit logs -> Filter: Add member to group / Remove member from group

References

https://learn.microsoft.com/en-us/graph/permissions-reference
https://learn.microsoft.com/en-us/graph/api/group-post-members
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept

PreviousAZ_MG_GROUP_READWRITE_ALL NextAZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Exploitation

Mitigation

Detection

PowerShell (Microsoft Graph)

Azure GUI

References