Groups

The Groups page provides a list of enumerated groups in entire Azure. The list contains the Assignable To Role, Security Enabled, On Prem Sync Enabled, Group Type, Privileged, Member Count, Tier 0, Risk Score, Exposure Point and Issue Counts.

Groups

Group Details

Details page contains the Risk Score of the group,Exposure Point, Information, and Issues panes.

You can analyze objects in the Graph module by clicking the Visualize button on the upper left side of the Information Pane.

Group Details

Information

Information Pane can contain different badges to highlight important attributes.

Badge
Description

Privileged

Indicates that the object is Privileged.

Stealth

Indicates that the object can compromise admin objects with at least one attack path.

Tier

Indicates that the object tier according to risk score and importance.

Information Pane contains Details, Parent Groups, Child Groups, Child Users, Child Devices , Child Service Principals, Child Administrative Units, Owner Users ,and Owner Service Principals tabs respectively.

Details

Details tab contains attributes below about group object.

Attribute
Description

Name

The unique name or alias of the group, used for identification and referencing within Azure AD.

Description

A user-defined text field describing the group's purpose or membership.

Display Name

The name shown in the directory, often used in address books and group listings.

Tenant ID

The globally unique identifier (GUID) of the Azure AD tenant to which the group belongs.

Security Enabled

Indicates whether the group is a security group, which can be used to manage access to resources like SharePoint, Teams, or applications.

Group Type

Defines the type of group—Security for access control or Microsoft 365 for collaboration (this group is a Security group).

When Created

The date and time when the group was created in the Azure Active Directory.

Is Assignable To Role

Indicates whether this group can be assigned to Azure AD roles (role-assignable groups must be security-enabled and marked as assignable).

On Prem SID

The security identifier (SID) for the group from the on-premises Active Directory, used during synchronization.

On Prem Sync Enabled

Specifies whether the group was synchronized from an on-premises Active Directory via Azure AD Connect.

Security Identifier

A unique SID assigned by Azure AD for the group object, used in access control and permissions.

Object ID

A unique object identifier (GUID) assigned to the group by Azure AD, used to reference the group programmatically or in logs.

Parent Groups

Parent Groups tab contains a list of groups that the group is a member of. This list also contains Enabled and On Prem Sync Enabled columns to identify the status of these groups.

Parent Groups

Child Groups

Child Groups tab contains a list of groups that are children of the group. This list also contains Privileged and Admin columns to identify the privilege levels of these groups.

Child Groups

Child Users

The Child Users tab displays a list of user accounts associated with the group.

Child Users

Child Devices

The Child Devices tab displays a list of devices objects associated with the group.

Child Devices

Child Service Principals

The Child Service Principals tab displays a list of Service Principals associated with the group.

Child Service Principals

Name: The name of the Service Principals.

Enabled: Indicates whether the Service Principals is active.

App Display Name: The display name of the Azure AD application that this service principal is associated with.

Service Principal Type: The type of the service principal, which defines its origin.

Common types include:

  • Application – a service principal created for an Azure AD application.

  • ManagedIdentity – for system- or user-assigned managed identities.

  • Legacy – for older service principal objects.

  • Federated – for service principals from external identity providers

Child Administrative Units

The Child Administrative Units tab displays a list of Administrative Units associated with the group.

Child Administrative Units

Display Name: The display name of the Administrative Unit, used to identify it within Azure AD.

Member Management Restricted: Indicates whether non-global administrators are restricted from managing members of this Administrative Unit. When set to true, only scoped-role assignments can manage its members.

Visibility: Determines whether the Administrative Unit is visible to users in the directory. Values can be:

  • Public – visible to all users.

  • HiddenMembership – members are not visible to non-admin users.

  • Private – not visible unless explicitly granted access.

Owner Users

The Owner Users tab displays a list of Owner Users associated with the group.

Owner Users

Owner Service Principals

Owner Service Principals tab contains a list of service principals that the group is a member of.

Owner Service Principals

Issues

Issues pane contains identified issues on the group object.

Issues
PreviousUsersNextDevices

Last updated

Was this helpful?