AZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

ServicePrincipalEndpoint.ReadWrite.All

Affected Object Types

Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: ServicePrincipalEndpoint.ReadWrite.All

Description

AZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL represents a Microsoft Graph application permission that grants the ability to read and write service principal properties including endpoints and owners.

Capabilities (verified):

Add owners to service principals
Modify endpoint URLs including reply URLs and redirect URIs
Update service principal properties
Read service principal configurations

Security Implications:

This permission is dangerous because an attacker can:

Add themselves as owner of a service principal for persistence
Redirect authentication flows by modifying redirect URIs to capture OAuth tokens
Token theft by adding malicious reply URLs to steal access tokens
Persistence through backdoor endpoints that remain after credential rotation

Comparison with similar permissions:

Permission

Modify replyUrls

Add Owners

Add Credentials

ServicePrincipalEndpoint.ReadWrite.All

Yes

Application.ReadWrite.All

Yes

Directory.ReadWrite.All

Yes

Identification

PowerShell (Microsoft Graph)

Find Service Principals with ServicePrincipalEndpoint.ReadWrite.All:

Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All"

# ServicePrincipalEndpoint.ReadWrite.All permission ID (correct GUID)
$permissionId = "89c8469c-83ad-45f7-8ff2-6e3d4285709e"

# Get Microsoft Graph service principal (resource)
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Find all app role assignments for this permission
Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All | Where-Object { $_.AppRoleId -eq $permissionId } | ForEach-Object {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $_.PrincipalId
    [PSCustomObject]@{
        DisplayName      = $sp.DisplayName
        AppId            = $sp.AppId
        ServicePrincipalId = $sp.Id
        Permission       = "ServicePrincipalEndpoint.ReadWrite.All"
        AssignedDate     = $_.CreatedDateTime
    }
} | Format-Table -AutoSize

Azure GUI

Open Microsoft Entra admin center -> Applications -> Enterprise applications
Select an application -> Permissions
Look for ServicePrincipalEndpoint.ReadWrite.All in granted permissions

Exploitation

An attacker with ServicePrincipalEndpoint.ReadWrite.All can add owners and modify service principal endpoints.

For adding owners to service principals, see AZ_ADD_OWNER.

Common Abuse Patterns

Add attacker as owner for persistent access
Modify redirect URIs to intercept OAuth tokens
Changes persist after credential rotation

Mitigation

Audit service principals with ServicePrincipalEndpoint.ReadWrite.All and remove unnecessary grants
- Go to Microsoft Entra ID -> App registrations -> select application -> API permissions
- Remove the permission if not required
Monitor owner additions on service principals:
- Alert on new owners added to sensitive service principals
- Review audit logs for owner changes
Implement strict reply URL policies:
- Use exact match redirect URIs instead of wildcards
- Limit reply URLs to known, trusted domains
- Block localhost and HTTP (non-HTTPS) redirect URIs in production
Monitor redirect URI changes on service principals:
- Review audit logs for modifications to service principal configurations
- Alert on unexpected reply URL additions
Regular audits: Periodically review service principal owners and endpoints

Detection

Detect owner additions and endpoint modifications in Audit logs.

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "AuditLog.Read.All"

# Detect owner additions and endpoint changes
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add owner to service principal' or activityDisplayName eq 'Update service principal'" -Top 50 | ForEach-Object {
    [PSCustomObject]@{
        DateTime = $_.ActivityDateTime
        Activity = $_.ActivityDisplayName
        Actor    = $_.InitiatedBy.User.UserPrincipalName ?? $_.InitiatedBy.App.DisplayName
        Target   = $_.TargetResources[0].DisplayName
    }
} | Format-Table -AutoSize

Azure GUI

Go to Microsoft Entra ID -> Audit logs
Filter by activities:
- Add owner to service principal
- Update service principal

Alert Criteria

New owners added to service principals
Reply URL additions to service principals
Endpoint changes outside change management windows
Addition of external or suspicious domains to redirect URIs

References

https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal
https://learn.microsoft.com/en-us/graph/permissions-reference
https://learn.microsoft.com/en-us/entra/identity-platform/reply-url
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-owners

PreviousAZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY NextAZ_OWNER

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagCommon Abuse Patterns

hashtagMitigation

hashtagDetection

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagAlert Criteria

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Exploitation

Common Abuse Patterns

Mitigation

Detection

PowerShell (Microsoft Graph)

Azure GUI

Alert Criteria

References