Detections
Analytics

Dynamic Group Featuring an Exploitable Rule

MEDIUM

Language:

Description

Dynamic groups in Microsoft Entra ID are a powerful feature that requires a P1 license or higher. These groups automatically update their membership based on specific rules tied to user attributes. However, if the rules rely on attributes that users can self-modify, they become vulnerable to exploitation.

An attacker with the ability to modify the attribute used in a dynamic group’s rule can manipulate its membership. This misconfiguration can result in unauthorized access or privilege escalation if the group grants access to sensitive resources.

While many attributes in a tenant are not user-modifiable, guest accounts are an exception. A guest user controlled by an attacker, with administrative privileges in the attacker's home tenant, can modify attributes there and exploit the dynamic group rule in the target tenant.

This issue, initially highlighted in security research and penetration testing literature around 2020, remains a viable attack vector in misconfigured environments. Since late 2024, the AADInternals attack tool has included a function to identify exploitable groups.

Possible attack scenario:

  1. Reconnaissance: An attacker gains access to a tenant as a standard user with no privileged roles. By default, they can enumerate groups and view dynamic group rules.
  2. Target Selection: Attackers identify dynamic groups with sensitive permissions, such as privileged Azure roles on subscriptions. They target rules that use exploitable attributes like displayName containing specific keywords (e.g., "admin").
  3. Malicious Preparation: Attackers create a user in their own Entra tenant whose attributes match the targeted group's membership rules.
  4. Guest Invitation: Attackers invite this malicious user as a guest into the target tenant.
  5. Rule Exploitation: When the malicious guest accepts the invitation, their account is created in the target tenant, and the dynamic group's membership rules process their attributes.
  6. Escalation: The malicious guest automatically joins the dynamic group and inherits its permissions (e.g., privileged Azure subscription roles) within minutes of account creation.

The risk and ensuing severity depend on these factors:

  • Guest Access Settings: Weak guest restrictions enhance the feasibility of the attack. The risk increases with the ability to invite guests and view group rules (refer to the related "Unrestricted Guest Accounts" and "Guest Accounts with Equal Access to Normal Accounts" Indicators of Exposure).
  • Group Access Scope: The severity of exploitation depends on the resources the group controls, which may include:
    • Microsoft 365 services (Teams channels, SharePoint sites, Exchange inboxes)
    • Azure cloud resources
    • Other integrated applications

Solution

Dynamic groups simplify administrative tasks but require careful configuration to prevent abuse. By addressing these risks, administrators can keep dynamic groups secure and efficient within Entra ID management.

The most immediate remediation is to avoid user-controlled attributes in rules: do not base dynamic group membership rules on attributes that users, especially guests, can directly modify. However, this significantly reduces the usefulness and flexibility of the feature.

As described, the easiest exploitation method involves inviting a malicious guest. To mitigate this, you can configure policies to restrict guest invitations to a trusted group of users. While this may impact collaboration, it significantly reduces the risk of malicious guest access. Alternatively, you can exclude these dangerous guests if you do not expect them to be members of the dynamic group. In the rules editor, add an "And" rule on the userType property with the Not Equals operator for value Guest, which generates this rule: and (user.userType -ne "Guest"). Note that this does not protect against malicious "external members".

However, an internal user with the ability to edit user attributes (such as through permissions granted by an Entra role) can also exploit this, creating additional attack paths. Therefore, carefully review the Entra roles that grant such permissions.

Internal users, as well as less-trusted guests, can easily discover exploitable groups. To mitigate this, you can reduce guests' visibility of groups and their rules. Refer to the recommendations in the related "Unrestricted Guest Accounts" and "Guest Accounts with Equal Access to Normal Accounts" Indicators of Exposure. However, note that this does not prevent internal users from exploiting the groups, as they can still identify target groups.

As a complement, you can regularly monitor dynamic group membership changes to identify and address potential exploitation. You can do this in real-time using the Entra audit log or choose to "Pause processing" in the dynamic group's properties and re-enable it only when you're ready to compare the members before and following the change.

Finally, you can choose to exclude the identified group if you accept the risk, either because you consider it low - due to a minimal likelihood of discovery or exploitation - or because membership in the group does not grant access to sensitive resources.

Indicator Details

Name: Dynamic Group Featuring an Exploitable Rule

Codename: DYNAMIC-GROUP-FEATURING-AN-EXPLOITABLE-RULE

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure

MITRE ATT&CK Information: