Microsoft.Directory/groups/members/update
Azure
Microsoft.Directory/groups/members/update
Event
Adds or removes members from an Entra ID security group or Microsoft 365 group.
Security Context
- Adding users to privileged groups is a common persistence technique that grants broad permissions while appearing as routine administration.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud (now an owner of the GraphornAdmins security group via the previous azure-add-owner-to-group event) adds himself as a member of that group. The group is role-assignable and bound to the Privileged Role Administrator Entra role — so this single member-add gives Draco Privileged Role Administrator indirectly. The activity is Add member to group and the audit category is GroupManagement.
{ "id": "Directory_90000000-0000-4000-8000-000011001000_4F2E7_82119354", "category": "GroupManagement", "correlationId": "90000000-0000-4000-8000-000011001000", "result": "success", "resultReason": "", "activityDisplayName": "Add member to group", "activityDateTime": "2026-04-15T19:08:42.0381729Z", "loggedByService": "Core Directory", "operationType": "Add", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "type": "User", "userPrincipalName": "draco@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [ { "displayName": "Group.DisplayName", "oldValue": "[]", "newValue": "[\"GraphornAdmins\"]" }, { "displayName": "Group.ObjectId", "oldValue": "[]", "newValue": "[\"60000000-0000-4000-8000-000000000001\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Group.DisplayName, Group.ObjectId\"" } ] }, { "id": "60000000-0000-4000-8000-000000000001", "displayName": "GraphornAdmins", "type": "Group", "userPrincipalName": null, "groupType": "unifiedSecurity", "modifiedProperties": [] } ], "additionalDetails": [ { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...