Abusing Dynamic Group Memberships in Azure Entra ID for persistence

n00🔑
3 min readNov 6, 2024

--

Dynamic Group memberships in Azure AD are a powerful feature that allows you to automatically manage group memberships based on user or device attributes. Here’s a brief overview of how they work:

  1. Create Dynamic Groups: You can create dynamic groups in the Azure portal by selecting “New group” and choosing “Security” as the group type. Then, you can add a dynamic query to define the membership criteria.
  2. Define Membership Rules: You can set rules based on user or device properties, such as department, job title, or device type. These rules are evaluated automatically, and users or devices that meet the criteria are added to the group.
  3. Automatic Updates: When a user or device attribute changes, the system re-evaluates the membership rules. If the attribute no longer matches the criteria, the user or device is removed from the group1.
  4. Usage: Dynamic groups can be used for various purposes, such as assigning licenses, applying policies, or granting access to resources.

Let’s see can be a priviliged Dynamic Group can be abused by attacker for persistence.

Steps:

  1. Goto https://entra.microsoft.com/
  2. Create a Group with Dynamic Membership:

Note: Fun fact! We are not allowed to assign roles to Dynamic groups. But we can assign application access to these groups for example:

Admins groups can access this Enterprise application.

3. Adding Dynamic Membership Rule to the Group

(user.userPrincipalName -contains "admin")

(user.userPrincipalName -contains “admin”) is used to define a dynamic group in Azure AD. Let’s break it down:

user.userPrincipalName: This refers to the User Principal Name (UPN) of a user. The UPN is usually the user’s email address in the format username@domain.com.

-contains “admin”: This part of the rule checks if the UPN contains the string “admin”.

So, putting it all together, the rule (user.userPrincipalName -contains “admin”) means that any user whose UPN (email address) includes the word “admin” will be automatically added to the group. For example, users with UPNs like admin@domain.com or john.admin@domain.com would match this rule and be included in the dynamic group.

4. Get your victim login to his/her account by phishing or fooling or any other means. Create and share the login link with code in Graph runner using “Get-GraphTokens”.

$tokens

5. Look for Groups with Dynamic membership enabled-

(user.userPrincipalName -contains “admin”)

We found a group named “Admins” and anyone having email containing “admin” keyword will be automatically added to this group.

6. By default every user is allowed to invite external guest user to azure AD.

So we just need to have a email address with “admin” keyword in it.

Inviting external user
generator.email

Thanks for reading!!

References:

https://msportals.io/

--

--

n00🔑
n00🔑

Written by n00🔑

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

No responses yet