dynamic groups

Author: carlospolop

src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md

@@ -16,6 +16,43 @@ Note that by default any user can invite guests in Azure AD, so, If a dynamic gr
 
 Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`**
 
+### Dynamic Groups Enumeration
+
+Get the rules of a dynamic group:
+
+With **Azure CLI**:
+
+```bash
+az ad group list \
+  --filter "groupTypes/any(c:c eq 'DynamicMembership')" \
+  --query "[].{displayName:displayName, rule:membershipRule}" \
+  -o table
+```
+
+With **PowerShell** and **Microsoft Graph SDK**:
+
+```bash
+Install-Module Microsoft.Graph -Scope CurrentUser -Force
+Import-Module Microsoft.Graph
+
+Connect-MgGraph -Scopes "Group.Read.All"
+
+Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
+            -Property Id, DisplayName, GroupTypes
+
+# Get the rules of a specific group
+$g = Get-MgGroup -Filter "displayName eq '<GROUP NAME>'" `
+                 -Property DisplayName, GroupTypes, MembershipRule, MembershipRuleProcessingState
+
+$g | Select-Object DisplayName, GroupTypes, MembershipRule
+
+# Get the rules of all dynamic groups
+Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
+            -Property DisplayName, MembershipRule |
+    Select-Object DisplayName, MembershipRule
+```
+
+
 ### Example
 
 - **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")`
@@ -43,6 +80,7 @@ az rest --method GET \
   --query "otherMails"
 ```
 
+
 ## References
 
 - [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/)