# Groups

The `Groups` page provides a list of enumerated groups in entire Azure. The list contains the `Assignable To Role`, `Security Enabled`, `On Prem Sync Enabled`, `Group Type`, `Privileged`, `Member Count`, `Tier 0`, `Risk Score`, `Exposure Point` and `Issue Counts`.

<figure><img src="/files/Ssoz2bR4Ro9IenoZji9v" alt=""><figcaption><p>Groups</p></figcaption></figure>

## Group Details

Details page contains the `Risk Score` of the group,`Exposure Point`, `Information`, and `Issues` panes.

{% hint style="info" %}
You can analyze objects in the `Graph module` by clicking the `Visualize` button on the upper left side of the `Information Pane`.
{% endhint %}

<figure><img src="/files/e23DXfiuQM29rB4s3Y6j" alt=""><figcaption><p>Group Details</p></figcaption></figure>

## Information

`Information Pane` can contain different badges to highlight important attributes.

| Badge          | Description                                                                           |
| -------------- | ------------------------------------------------------------------------------------- |
| **Privileged** | Indicates that the object is Privileged.                                              |
| **Stealth**    | Indicates that the object can compromise admin objects with at least one attack path. |
| **Tier**       | Indicates that the object tier according to risk score and importance.                |

`Information Pane` contains `Details`, `Parent Groups`, `Child Groups`, `Child Users`, `Child Devices` , `Child Service Principals`, `Child Administrative Units`, `Owner Users` ,and `Owner Service Principals` tabs respectively.

## Details

Details tab contains attributes below about group object.

| Attribute                 | Description                                                                                                                                |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| **Name**                  | The unique name or alias of the group, used for identification and referencing within Azure AD.                                            |
| **Description**           | A user-defined text field describing the group's purpose or membership.                                                                    |
| **Display Name**          | The name shown in the directory, often used in address books and group listings.                                                           |
| **Tenant ID**             | The globally unique identifier (GUID) of the Azure AD tenant to which the group belongs.                                                   |
| **Security Enabled**      | Indicates whether the group is a security group, which can be used to manage access to resources like SharePoint, Teams, or applications.  |
| **Group Type**            | Defines the type of group—**Security** for access control or **Microsoft 365** for collaboration (this group is a **Security group**).     |
| **When Created**          | The date and time when the group was created in the Azure Active Directory.                                                                |
| **Is Assignable To Role** | Indicates whether this group can be assigned to Azure AD roles (role-assignable groups must be security-enabled and marked as assignable). |
| **On Prem SID**           | The security identifier (SID) for the group from the on-premises Active Directory, used during synchronization.                            |
| On Prem Sync Enabled      | Specifies whether the group was synchronized from an on-premises Active Directory via Azure AD Connect.                                    |
| Security Identifier       | A unique SID assigned by Azure AD for the group object, used in access control and permissions.                                            |
| Object ID                 | A unique object identifier (GUID) assigned to the group by Azure AD, used to reference the group programmatically or in logs.              |

## Parent Groups

Parent Groups tab contains a list of groups that the group is a member of. This list also contains `Enabled` and `On Prem Sync Enabled` columns to identify the status of these groups.

<figure><img src="/files/B0C3lUhVSaFD9tJhA8dL" alt=""><figcaption><p>Parent Groups</p></figcaption></figure>

## Child Groups

Child Groups tab contains a list of groups that are children of the group. This list also contains `Privileged` and `Admin` columns to identify the privilege levels of these groups.

<figure><img src="/files/6woSmlkdSLYC8ZFwJt4G" alt=""><figcaption><p>Child Groups</p></figcaption></figure>

## Child Users

The Child Users tab displays a list of user accounts associated with the group.

<figure><img src="/files/ZwBv6soQnIg4Q7UADncv" alt=""><figcaption><p>Child Users</p></figcaption></figure>

## Child Devices

The Child Devices tab displays a list of devices objects associated with the group.

<figure><img src="/files/Xuthe4vN0nn2tEIOl3DZ" alt=""><figcaption><p>Child Devices</p></figcaption></figure>

## Child Service Principals

The Child Service Principals tab displays a list of Service Principals associated with the group.

<figure><img src="/files/X214LsANwsL5eIMqy5PZ" alt=""><figcaption><p>Child Service Principals</p></figcaption></figure>

**Name**: The name of the Service Principals.

**Enabled**: Indicates whether the Service Principals is active.

**App Display Name:** The display name of the Azure AD application that this service principal is associated with.

**Service Principal Type:** The type of the service principal, which defines its origin.

Common types include:

* `Application` – a service principal created for an Azure AD application.
* `ManagedIdentity` – for system- or user-assigned managed identities.
* `Legacy` – for older service principal objects.
* `Federated` – for service principals from external identity providers

## Child Administrative Units

The Child Administrative Units tab displays a list of Administrative Units associated with the group.

<figure><img src="/files/4sTGQRWe2OGS2REIgquE" alt=""><figcaption><p>Child Administrative Units</p></figcaption></figure>

**Display Name**: The display name of the Administrative Unit, used to identify it within Azure AD.

**Member Management Restricted**: Indicates whether non-global administrators are restricted from managing members of this Administrative Unit. When set to `true`, only scoped-role assignments can manage its members.

**Visibility**: Determines whether the Administrative Unit is visible to users in the directory. Values can be:

* `Public` – visible to all users.
* `HiddenMembership` – members are not visible to non-admin users.
* `Private` – not visible unless explicitly granted access.

## Owner Users

The Owner Users tab displays a list of Owner Users associated with the group.

<figure><img src="/files/o6fIkiCDsTD9SrNnPBnE" alt=""><figcaption><p>Owner Users</p></figcaption></figure>

## Owner Service Principals

Owner Service Principals tab contains a list of service principals that the group is a member of.

<figure><img src="/files/kRAr9s39QWBpHmdTjw7O" alt=""><figcaption><p>Owner Service Principals</p></figcaption></figure>

## Issues

Issues pane contains identified issues on the group object.

![Issues](/files/EYoSUZpAhjohhoMmtJV7)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/azure-identities/groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.