Skip to content

Group abuse

Enumeration

Azure CLI

List groups 

az ad group list

Get group information 

az ad group show --group <name>

Get groups from EntraID 

az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"

Get synced users from on-prem 

az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"

Get group members 

az ad group member list --group <group-name> --query "[].userPrincipalName" -o table

Get which groups a group is member of 

az ad group get-member-groups -g "<group-name>"

Get roles assigned to the group in Azure (NOT in Entra ID) 

az role assignment list --include-groups --include-classic-administrators true --assignee <group-id>

List users group membership 

Get-MgUserMemberOf -userid "user@domain.com" | select * -ExpandProperty additionalProperties | Select-Object {$_.AdditionalProperties["displayName"]}

Get objectID from group name 

az ad group show --group "My Group Display Name" --query id --output tsv


(Get-MgGroup -Filter "DisplayName eq 'My Group Display Name'").Id

get custom role defenitions (list all properties) 

az role definition list --custom-role-only true --query "[?roleName=='Role Name']" -o json

GraphRunner.ps1

Enum Dynamic Groups

Get-DynamicGroups -Tokens $tokens

Enum groupd ID 

Get-SecurityGroups -Tokens $tokens

Enum UserID

Get-UserObjectID -Tokens $tokens user.one@domain.com

Add user to group

Invoke-AddGroupMember -groupId <groupid> -userId <userid>

BARK

https://github.com/BloodHoundAD/BARK

Enumerate Entra groups and info about them

$Groups = Get-AllEntraGroups
$Group = $Groups | Where-Object { $_.DisplayName -eq "<interesting group>" }
$Group

Interesting Groups

Directory Readers

  • Allows Entra enumeration