# AZ\_MG\_GROUPMEMBER\_READWRITE\_ALL ## Summary | | | | ----------------------------- | ------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_MG\_GROUPMEMBER\_READWRITE\_ALL | | **Entra ID (Azure AD) Alias** | GroupMember.ReadWrite.All | | **Affected Object Types** | Service Principals, Applications | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Application Permission: GroupMember.ReadWrite.All | ## Description `AZ_MG_GROUPMEMBER_READWRITE_ALL` grants **read and write access to group memberships** in Microsoft Entra ID. **Capabilities:** * **Add/remove members** to security groups and Microsoft 365 groups * **Read group memberships** and properties **Limitations:** * **Cannot modify role-assignable groups** (requires `RoleManagement.ReadWrite.Directory`) * **Cannot create/delete groups** (requires `Group.ReadWrite.All`) **Abuse scenarios:** * **Lateral movement**: Add accounts to groups with Azure RBAC or application access * **Defense evasion**: Remove security team members from monitoring groups ## Identification ### PowerShell (Microsoft Graph) ```powershell Connect-MgGraph -Scopes "Application.Read.All" $permissionId = "dbaae8cf-10b5-4b86-a4a1-f871c94c6695" # GroupMember.ReadWrite.All $graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object { $_.AppRoleId -eq $permissionId } | ForEach-Object { $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId [PSCustomObject]@{ DisplayName = $sp.DisplayName; AppId = $sp.AppId } } | Format-Table -AutoSize ``` ### Azure GUI 1. **Microsoft Entra admin center** -> **Applications** -> **Enterprise applications** 2. Select application -> **Permissions** -> Look for **GroupMember.ReadWrite.All** ## Exploitation An attacker with `GroupMember.ReadWrite.All` can add accounts to normal security groups (not role-assignable groups). For exploitation details, see [AZ\_MG\_ADD\_MEMBER](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_ADD_MEMBER/README.md). ## Mitigation * **Audit and remove** unnecessary `GroupMember.ReadWrite.All` grants * **Apply least privilege**: Use `GroupMember.Read.All` if only read access is needed * **Regular access reviews** for applications with this permission ## Detection ### PowerShell (Microsoft Graph) ```powershell Connect-MgGraph -Scopes "AuditLog.Read.All" Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add member to group' or activityDisplayName eq 'Remove member from group'" -Top 50 | ForEach-Object { [PSCustomObject]@{ DateTime = $_.ActivityDateTime Activity = $_.ActivityDisplayName Actor = $_.InitiatedBy.App.DisplayName ?? $_.InitiatedBy.User.UserPrincipalName Target = $_.TargetResources[0].DisplayName } } | Format-Table -AutoSize ``` ### Azure GUI * **Microsoft Entra ID** -> **Audit logs** -> Filter: **Add member to group** / **Remove member from group** ## References * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_mg_groupmember_readwrite_all.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.