Skip to content
TheCloud.Events

Add Owner To Group

CSP: Azure
Tactics:
Privilege Escalation
Techniques:
T1098
Tags:
Azure Microsoft Entra ID

Event

Adds an owner to a group, granting the ability to modify group membership for lateral movement.

Security Context

  • Group owners can add or remove members, effectively controlling access to any resources the group is assigned to — including Azure RBAC roles, application access, and dynamic group-based policies.
  • Adversaries target group ownership as an indirect privilege escalation path, gaining the ability to insert themselves or other compromised accounts into privileged groups.

Log Source

Entra ID Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Privilege Escalation

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.