> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_parent_management_group.md).

# AZ\_PARENT\_MANAGEMENT\_GROUP

## Summary

|                            |                                       |
| -------------------------- | ------------------------------------- |
| **FSProtect ACL Alias**    | AZ\_PARENT\_MANAGEMENT\_GROUP         |
| **Azure Alias**            | Contains / Member of Management Group |
| **Affected Object Types**  | Management Groups, Subscriptions      |
| **Exploitation Certainty** | Informational                         |

## Description

`AZ_PARENT_MANAGEMENT_GROUP` represents that an Azure entity (Subscription or child Management Group) **belongs to a specific Management Group**. This is a structural/containment edge that shows the highest level of the Azure Resource Manager organizational hierarchy, sitting above Subscriptions.

Management Groups are containers used to manage access, policy, and compliance across multiple subscriptions. All subscriptions within a Management Group automatically inherit conditions applied at that Management Group level. Management Groups can also contain other Management Groups, forming a hierarchy of up to six levels of depth (excluding the root Tenant Root Group and subscription level).

This edge is important for attack path analysis because:

* **RBAC role assignments inherit downward** — a role assigned at a Management Group applies to all child Management Groups, all subscriptions, all resource groups, and all resources within those subscriptions.
* **An attacker with Owner or Contributor at a Management Group level** gains access across **all subscriptions** under that Management Group — the largest possible blast radius in ARM.
* **Azure Policy and Blueprints assigned at the Management Group level** propagate to all child entities and may enforce or relax security controls.
* **The Tenant Root Group** is the highest Management Group and applies to the entire tenant; control here is equivalent to tenant-wide ARM control.

The `AZ_PARENT_MANAGEMENT_GROUP` relationship itself is not directly exploitable. It indicates containment for understanding scope of permissions and access control inheritance.

## Identification

### PowerShell (Az Module)

```powershell
Connect-AzAccount

# List all Management Groups accessible to the current identity
Get-AzManagementGroup |
    Select-Object Name, DisplayName, Id, TenantId |
    Format-Table -AutoSize

# Show full Management Group hierarchy (children of a given MG)
Get-AzManagementGroup -GroupName "<ManagementGroupName>" -Expand -Recurse |
    Select-Object Name, DisplayName, @{N='Children';E={$_.Children.Name -join ', '}} |
    Format-Table -AutoSize

# List all subscriptions and the Management Group they belong to
Get-AzManagementGroup | ForEach-Object {
    $mg = $_
    Get-AzManagementGroup -GroupName $mg.Name -Expand -ErrorAction SilentlyContinue |
        Select-Object -ExpandProperty Children -ErrorAction SilentlyContinue |
        Where-Object { $_.Type -eq "/subscriptions" } |
        ForEach-Object {
            [PSCustomObject]@{
                ManagementGroup = $mg.DisplayName
                ManagementGroupId = $mg.Name
                SubscriptionName = $_.DisplayName
                SubscriptionId = $_.Name
            }
        }
} | Format-Table -AutoSize
```

### Azure CLI

```bash
# List all Management Groups
az account management-group list --query "[].{Name:name, DisplayName:displayName, Id:id}" -o table

# Show details and children of a specific Management Group
az account management-group show --name "<ManagementGroupName>" --expand --recurse

# List subscriptions under a Management Group
az account management-group entities list --query "[?type=='Microsoft.Management/managementGroups/subscriptions'].{Name:displayName, Id:name, Parent:parent.name}" -o table
```

### Azure GUI

1. Open **Azure Portal** → search for **Management groups**.
2. The hierarchy is shown in a tree view, starting with the **Tenant Root Group**.
3. Select a Management Group to see its child Management Groups and Subscriptions.
4. Use the **Details** blade of any subscription to see its parent Management Group.

## Exploitation

There is no direct exploit for this edge. It represents a containment relationship.

However, understanding Management Group membership is critical for:

| Scenario                           | Impact                                                                       |
| ---------------------------------- | ---------------------------------------------------------------------------- |
| **Compromised MG-level role**      | All child Management Groups, subscriptions, and resources are affected       |
| **Tenant Root Group access**       | Equivalent to full ARM control across the entire tenant                      |
| **Blast radius assessment**        | A role at the MG level can be one of the highest-impact compromises possible |
| **Policy / Blueprint inheritance** | Security controls applied at MG level affect every contained subscription    |

> **Related Attack Paths:**
>
> * [AZ\_ARM\_OWNER](https://docs.forestall.io/fsprotect/edges/azure/az_arm_owner) — Owner at MG scope inherits to all contained subscriptions and resources.
> * [AZ\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_contributor) — Contributor at MG scope inherits to all contained subscriptions and resources.
> * [AZ\_PARENT\_SUBSCRIPTION](https://docs.forestall.io/fsprotect/edges/azure/az_parent_subscription) — Subscriptions belong to Management Groups.
> * [AZ\_HAS\_ARM\_ROLE](https://docs.forestall.io/fsprotect/edges/azure/az_has_arm_role) — Role assignments may target Management Groups directly.
> * [AZ\_ARM\_ROLE\_SCOPED\_TO](https://docs.forestall.io/fsprotect/edges/azure/az_arm_role_scoped_to) — ARM role assignments scoped to Management Groups apply to everything beneath them.

## Mitigation

* **Plan the Management Group hierarchy carefully** — group subscriptions with similar security requirements together, and avoid overly broad MGs.
* **Minimize role assignments at the Tenant Root Group** — these grant tenant-wide control over ARM and should be limited to break-glass accounts.
* **Prefer subscription- or resource-scoped assignments** over Management Group assignments wherever practical.
* **Use Privileged Identity Management (PIM) for Azure resources** — require just-in-time activation, MFA, and approval for any privileged role at MG scope.
* **Apply Azure Policy at the MG level** to enforce baseline security controls across all child subscriptions.
* **Restrict who can move subscriptions** between Management Groups — moving a subscription can change the inherited role assignments and policies.

## Detection

Monitor Management Group changes in **Azure Activity Log** at the Management Group scope.

* Go to **Azure Portal** → **Management groups** → select the target MG → **Activity log**.
* Alert on:
  * **Create or update Management Group** (`Microsoft.Management/managementGroups/write`).
  * **Delete Management Group** (`Microsoft.Management/managementGroups/delete`).
  * **Subscription moved between Management Groups** (`Microsoft.Management/managementGroups/subscriptions/write`).
  * **Role assignment created/removed at MG scope** (`Microsoft.Authorization/roleAssignments/write` with scope starting `/providers/Microsoft.Management/managementGroups/`).
  * **Azure Policy assignment changes at MG scope**.

These structural changes are infrequent and any unexpected modification — especially at the Tenant Root Group — should be treated as high priority.

## References

* <https://learn.microsoft.com/en-us/azure/governance/management-groups/overview>
* <https://learn.microsoft.com/en-us/azure/governance/management-groups/manage>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview>
* <https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources>
* <https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azmanagementgroup>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_parent_management_group.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.