AZ_PARENT_MANAGEMENT_GROUP

Summary

FSProtect ACL Alias

Azure Alias

Contains / Member of Management Group

Affected Object Types

Management Groups, Subscriptions

Exploitation Certainty

Informational

Description

AZ_PARENT_MANAGEMENT_GROUP represents that an Azure entity (Subscription or child Management Group) belongs to a specific Management Group. This is a structural/containment edge that shows the highest level of the Azure Resource Manager organizational hierarchy, sitting above Subscriptions.

Management Groups are containers used to manage access, policy, and compliance across multiple subscriptions. All subscriptions within a Management Group automatically inherit conditions applied at that Management Group level. Management Groups can also contain other Management Groups, forming a hierarchy of up to six levels of depth (excluding the root Tenant Root Group and subscription level).

This edge is important for attack path analysis because:

RBAC role assignments inherit downward — a role assigned at a Management Group applies to all child Management Groups, all subscriptions, all resource groups, and all resources within those subscriptions.
An attacker with Owner or Contributor at a Management Group level gains access across all subscriptions under that Management Group — the largest possible blast radius in ARM.
Azure Policy and Blueprints assigned at the Management Group level propagate to all child entities and may enforce or relax security controls.
The Tenant Root Group is the highest Management Group and applies to the entire tenant; control here is equivalent to tenant-wide ARM control.

The AZ_PARENT_MANAGEMENT_GROUP relationship itself is not directly exploitable. It indicates containment for understanding scope of permissions and access control inheritance.

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all Management Groups accessible to the current identity
Get-AzManagementGroup |
    Select-Object Name, DisplayName, Id, TenantId |
    Format-Table -AutoSize

# Show full Management Group hierarchy (children of a given MG)
Get-AzManagementGroup -GroupName "<ManagementGroupName>" -Expand -Recurse |
    Select-Object Name, DisplayName, @{N='Children';E={$_.Children.Name -join ', '}} |
    Format-Table -AutoSize

# List all subscriptions and the Management Group they belong to
Get-AzManagementGroup | ForEach-Object {
    $mg = $_
    Get-AzManagementGroup -GroupName $mg.Name -Expand -ErrorAction SilentlyContinue |
        Select-Object -ExpandProperty Children -ErrorAction SilentlyContinue |
        Where-Object { $_.Type -eq "/subscriptions" } |
        ForEach-Object {
            [PSCustomObject]@{
                ManagementGroup = $mg.DisplayName
                ManagementGroupId = $mg.Name
                SubscriptionName = $_.DisplayName
                SubscriptionId = $_.Name
            }
        }
} | Format-Table -AutoSize

Azure CLI

# List all Management Groups
az account management-group list --query "[].{Name:name, DisplayName:displayName, Id:id}" -o table

# Show details and children of a specific Management Group
az account management-group show --name "<ManagementGroupName>" --expand --recurse

# List subscriptions under a Management Group
az account management-group entities list --query "[?type=='Microsoft.Management/managementGroups/subscriptions'].{Name:displayName, Id:name, Parent:parent.name}" -o table

Azure GUI

Open Azure Portal → search for Management groups.
The hierarchy is shown in a tree view, starting with the Tenant Root Group.
Select a Management Group to see its child Management Groups and Subscriptions.
Use the Details blade of any subscription to see its parent Management Group.

Exploitation

There is no direct exploit for this edge. It represents a containment relationship.

However, understanding Management Group membership is critical for:

Scenario

Impact

Compromised MG-level role

All child Management Groups, subscriptions, and resources are affected

Tenant Root Group access

Equivalent to full ARM control across the entire tenant

Blast radius assessment

A role at the MG level can be one of the highest-impact compromises possible

Policy / Blueprint inheritance

Security controls applied at MG level affect every contained subscription

Related Attack Paths:
AZ_ARM_OWNER — Owner at MG scope inherits to all contained subscriptions and resources.
AZ_CONTRIBUTOR — Contributor at MG scope inherits to all contained subscriptions and resources.
AZ_PARENT_SUBSCRIPTION — Subscriptions belong to Management Groups.
AZ_HAS_ARM_ROLE — Role assignments may target Management Groups directly.
AZ_ARM_ROLE_SCOPED_TO — ARM role assignments scoped to Management Groups apply to everything beneath them.

Mitigation

Plan the Management Group hierarchy carefully — group subscriptions with similar security requirements together, and avoid overly broad MGs.
Minimize role assignments at the Tenant Root Group — these grant tenant-wide control over ARM and should be limited to break-glass accounts.
Prefer subscription- or resource-scoped assignments over Management Group assignments wherever practical.
Use Privileged Identity Management (PIM) for Azure resources — require just-in-time activation, MFA, and approval for any privileged role at MG scope.
Apply Azure Policy at the MG level to enforce baseline security controls across all child subscriptions.
Restrict who can move subscriptions between Management Groups — moving a subscription can change the inherited role assignments and policies.

Detection

Monitor Management Group changes in Azure Activity Log at the Management Group scope.

Go to Azure Portal → Management groups → select the target MG → Activity log.
Alert on:
- Create or update Management Group (Microsoft.Management/managementGroups/write).
- Delete Management Group (Microsoft.Management/managementGroups/delete).
- Subscription moved between Management Groups (Microsoft.Management/managementGroups/subscriptions/write).
- Role assignment created/removed at MG scope (Microsoft.Authorization/roleAssignments/write with scope starting /providers/Microsoft.Management/managementGroups/).
- Azure Policy assignment changes at MG scope.

These structural changes are infrequent and any unexpected modification — especially at the Tenant Root Group — should be treated as high priority.

References

PreviousAZ_PARENT_AU NextAZ_PARENT_RESOURCE_GROUP

Last updated 1 hour ago

Was this helpful?