Skip to content

Add Owner To Group

Azure

Add Owner To Group

service: Azure - Microsoft Entra ID
techniques:

Event

Adds an owner to a group, granting the ability to modify group membership for lateral movement.

Security Context

  • Group owners can add or remove members, effectively controlling access to any resources the group is assigned to — including Azure RBAC roles, application access, and dynamic group-based policies.
  • Adversaries target group ownership as an indirect privilege escalation path, gaining the ability to insert themselves or other compromised accounts into privileged groups.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud adds himself as an owner of a security group named GraphornAdmins (a role-assignable group that has the Privileged Role Administrator Entra role bound to it). As an owner he can now add or remove members of the group at will without further admin consent — granting him an indirect path to add accomplices to a privileged group, or sustain his own privilege if his direct role assignment is revoked.

{
"id": "Directory_90000000-0000-4000-8000-000001101000_5F2D8_93421177",
"category": "GroupManagement",
"correlationId": "90000000-0000-4000-8000-000001101000",
"result": "success",
"resultReason": "",
"activityDisplayName": "Add owner to group",
"activityDateTime": "2026-04-15T18:51:42.0119445Z",
"loggedByService": "Core Directory",
"operationType": "Add",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "60000000-0000-4000-8000-000000000001",
"displayName": "GraphornAdmins",
"type": "Group",
"userPrincipalName": null,
"groupType": "unifiedSecurity",
"modifiedProperties": [
{
"displayName": "Group.DisplayName",
"oldValue": "[]",
"newValue": "[\"GraphornAdmins\"]"
},
{
"displayName": "Group.ObjectId",
"oldValue": "[]",
"newValue": "[\"60000000-0000-4000-8000-000000000001\"]"
},
{
"displayName": "Group.WellKnownObjectName",
"oldValue": "[]",
"newValue": "[]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"Group.DisplayName, Group.ObjectId, Group.WellKnownObjectName\""
}
]
},
{
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"type": "User",
"userPrincipalName": "draco@fantasticlogs.cloud",
"groupType": null,
"modifiedProperties": []
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)"
}
]
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...