# AZ\_PARENT\_AU

## Summary

|                               |                            |
| ----------------------------- | -------------------------- |
| **FSProtect ACL Alias**       | AZ\_PARENT\_AU             |
| **Entra ID (Azure AD) Alias** | Administrative Unit Member |
| **Affected Object Types**     | Users, Groups, Devices     |
| **Exploitation Certainty**    | Unlikely                   |

## Description

`AZ_PARENT_AU` represents that an object (user, group, or device) belongs to a specific Microsoft Entra ID Administrative Unit. This edge shows the relationship where **Object X is a member of Administrative Unit Y**.

Administrative Units (AUs) in Microsoft Entra ID provide a way to delegate administrative permissions over a subset of directory objects. They function similarly to Organizational Units (OUs) in Active Directory, allowing organizations to:

* **Segment administration** by department, region, or business unit.
* **Delegate specific directory roles** to administrators scoped to only the AU members.
* **Apply administrative boundaries** without affecting the overall tenant structure.

However, the `AZ_PARENT_AU` relationship itself does not represent a direct exploitable permission. It indicates which Administrative Unit an object belongs to, which is important for understanding:

* The scope of delegated administration permissions.
* Which administrators have authority over specific objects.
* The administrative boundary structure within the tenant.

## Identification

You can identify objects and their parent Administrative Units with these scripts:

### PowerShell (Microsoft Graph)

### Get All Objects with Their Parent Administrative Units

```powershell
Import-Module Microsoft.Graph.Identity.DirectoryManagement

Connect-MgGraph -Scopes "AdministrativeUnit.Read.All", "Directory.Read.All"

$aus = Get-MgDirectoryAdministrativeUnit -All

$results = foreach ($au in $aus) {
    $members = Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $au.Id -All
    
    foreach ($member in $members) {
        $memberType = if ($member.AdditionalProperties.'@odata.type') { 
            $member.AdditionalProperties.'@odata.type' -replace '^#microsoft\.graph\.', '' 
        } else { 'Unknown' }
        
        [PSCustomObject]@{
            AUName     = $au.DisplayName
            AUId       = $au.Id
            MemberName = $member.AdditionalProperties.displayName
            MemberType = $memberType
            MemberId   = $member.Id
        }
    }
}

$results | Export-Csv -Path ".\AzureAUMembers.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize
```

## Exploitation

There is no practical exploit path for this edge. It indicates which Administrative Unit an object belongs to but does not allow creation, modification, or deletion of any objects.

However, understanding AU membership is valuable for attackers performing reconnaissance because:

* It reveals which administrators have delegated authority over specific users/groups.
* It can identify high-value targets within specific administrative boundaries.
* It helps map the organizational structure for targeted attacks.

## Mitigation

No specific mitigation is required, as this edge does not represent a vulnerability.

**Best Practices for Administrative Units:**

* Use Administrative Units with **Restricted Management** to prevent tenant-level administrators from modifying AU members.
* Regularly audit AU membership and delegated roles.
* Follow least-privilege principles when assigning scoped administrative roles.
* Monitor for unexpected changes to AU membership.

## Detection

Changes to Administrative Unit membership can be detected through Microsoft Entra audit logs:

| Event Type | Operation                                     | Description                                     |
| ---------- | --------------------------------------------- | ----------------------------------------------- |
| AuditLog   | Add member to administrative unit             | A user, group, or device was added to an AU     |
| AuditLog   | Remove member from administrative unit        | A user, group, or device was removed from an AU |
| AuditLog   | Add scoped role member to administrative unit | A role assignment was scoped to an AU           |

## References

* <https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units>
* <https://learn.microsoft.com/en-us/graph/api/resources/administrativeunit>
* <https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management>
* <https://learn.microsoft.com/en-us/graph/api/administrativeunit-list-members>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_parent_au.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.