AZ_PARENT_AU

Summary

FSProtect ACL Alias

AZ_PARENT_AU

Entra ID (Azure AD) Alias

Administrative Unit Member

Affected Object Types

Users, Groups, Devices

Exploitation Certainty

Unlikely

Description

AZ_PARENT_AU represents that an object (user, group, or device) belongs to a specific Microsoft Entra ID Administrative Unit. This edge shows the relationship where Object X is a member of Administrative Unit Y.

Administrative Units (AUs) in Microsoft Entra ID provide a way to delegate administrative permissions over a subset of directory objects. They function similarly to Organizational Units (OUs) in Active Directory, allowing organizations to:

Segment administration by department, region, or business unit.
Delegate specific directory roles to administrators scoped to only the AU members.
Apply administrative boundaries without affecting the overall tenant structure.

However, the AZ_PARENT_AU relationship itself does not represent a direct exploitable permission. It indicates which Administrative Unit an object belongs to, which is important for understanding:

The scope of delegated administration permissions.
Which administrators have authority over specific objects.
The administrative boundary structure within the tenant.

Identification

You can identify objects and their parent Administrative Units with these scripts.

List all Administrative Units (PowerShell - Az Module)

Connect-AzAccount

# List all Administrative Units
$uri = "https://graph.microsoft.com/v1.0/directory/administrativeUnits"
$aus = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $aus += $data.value
    $uri = $data.'@odata.nextLink'
}

$aus | Select-Object displayName, id, description | Format-Table -AutoSize

Get Users of a Specific Administrative Unit (PowerShell)

Connect-AzAccount

$auId = "YOUR_AU_ID_HERE"
$uri = "https://graph.microsoft.com/v1.0/directory/administrativeUnits/$auId/members/microsoft.graph.user"
$members = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $members += $data.value
    $uri = $data.'@odata.nextLink'
}

$results = foreach ($member in $members) {
    [PSCustomObject]@{
        UserName     = $member.displayName
        UserPrincipalName = $member.userPrincipalName
        UserId       = $member.id
    }
}

$results | Format-Table -AutoSize

Get Groups of a Specific Administrative Unit (PowerShell)

Connect-AzAccount

$auId = "YOUR_AU_ID_HERE"
$uri = "https://graph.microsoft.com/v1.0/directory/administrativeUnits/$auId/members/microsoft.graph.group"
$members = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $members += $data.value
    $uri = $data.'@odata.nextLink'
}

$results = foreach ($member in $members) {
    [PSCustomObject]@{
        GroupName    = $member.displayName
        GroupId      = $member.id
        SecurityEnabled = $member.securityEnabled
        MailEnabled  = $member.mailEnabled
    }
}

$results | Format-Table -AutoSize

Get Devices of a Specific Administrative Unit (PowerShell)

Connect-AzAccount

$auId = "YOUR_AU_ID_HERE"
$uri = "https://graph.microsoft.com/v1.0/directory/administrativeUnits/$auId/members/microsoft.graph.device"
$members = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $members += $data.value
    $uri = $data.'@odata.nextLink'
}

$results = foreach ($member in $members) {
    [PSCustomObject]@{
        DeviceName   = $member.displayName
        DeviceId     = $member.id
        OperatingSystem = $member.operatingSystem
        TrustType    = $member.trustType
    }
}

$results | Format-Table -AutoSize

Get All Objects with Their Parent Administrative Units (PowerShell)

Connect-AzAccount

# Get all Administrative Units and their members
$uri = "https://graph.microsoft.com/v1.0/directory/administrativeUnits"
$results = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    
    foreach ($au in $data.value) {
        $membersUri = "https://graph.microsoft.com/v1.0/directory/administrativeUnits/$($au.id)/members"
        
        while ($membersUri) {
            $membersResponse = Invoke-AzRestMethod -Uri $membersUri -Method GET
            $membersData = $membersResponse.Content | ConvertFrom-Json
            
            foreach ($member in $membersData.value) {
                $memberType = if ($member.'@odata.type') { ($member.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
                $results += [PSCustomObject]@{
                    AUName       = $au.displayName
                    AUId         = $au.id
                    MemberName   = $member.displayName
                    MemberType   = $memberType
                    MemberId     = $member.id
                }
            }
            
            $membersUri = $membersData.'@odata.nextLink'
        }
    }
    
    $uri = $data.'@odata.nextLink'
}

$results | Export-Csv -Path ".\AzureAUMembers.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

There is no practical exploit path for this edge. It indicates which Administrative Unit an object belongs to but does not allow creation, modification, or deletion of any objects.

However, understanding AU membership is valuable for attackers performing reconnaissance because:

It reveals which administrators have delegated authority over specific users/groups.
It can identify high-value targets within specific administrative boundaries.
It helps map the organizational structure for targeted attacks.

Mitigation

No specific mitigation is required, as this edge does not represent a vulnerability.

Best Practices for Administrative Units:

Use Administrative Units with Restricted Management to prevent tenant-level administrators from modifying AU members.
Regularly audit AU membership and delegated roles.
Follow least-privilege principles when assigning scoped administrative roles.
Monitor for unexpected changes to AU membership.

Detection

Changes to Administrative Unit membership can be detected through Microsoft Entra audit logs:

Event Type

Operation

Description

AuditLog

Add member to administrative unit

A user, group, or device was added to an AU

AuditLog

Remove member from administrative unit

A user, group, or device was removed from an AU

AuditLog

Add scoped role member to administrative unit

A role assignment was scoped to an AU

References

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
https://learn.microsoft.com/en-us/graph/api/administrativeunit-list-members

PreviousAZ_OWNER NextAZ_PARTNER_TIER2_SUPPORT

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

Exploitation

Mitigation

Detection

References