> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_parent_resource_group.md).

# AZ\_PARENT\_RESOURCE\_GROUP

## Summary

|                            |                                                                                                              |
| -------------------------- | ------------------------------------------------------------------------------------------------------------ |
| **FSProtect ACL Alias**    | AZ\_PARENT\_RESOURCE\_GROUP                                                                                  |
| **Azure Alias**            | Contains / Member of Resource Group                                                                          |
| **Affected Object Types**  | VMs, Key Vaults, Automation Accounts, Storage Accounts, Web Apps, Function Apps, and all other ARM resources |
| **Exploitation Certainty** | Informational                                                                                                |

## Description

`AZ_PARENT_RESOURCE_GROUP` represents that an Azure resource **belongs to a specific Resource Group**. This is a structural/containment edge that shows the organizational hierarchy of Azure resources.

Resource Groups are logical containers in Azure Resource Manager (ARM) that group related resources for management, access control, and billing. Every ARM resource exists within exactly one Resource Group.

This edge is important for attack path analysis because:

* **RBAC role assignments inherit downward** — a role assigned at the Resource Group level applies to all resources within that group.
* **An attacker with Contributor or Owner at the Resource Group level** gains access to all contained resources (VMs, Key Vaults, etc.).
* **Resource Group membership reveals the blast radius** of a compromised role assignment.

The `AZ_PARENT_RESOURCE_GROUP` relationship itself is not directly exploitable. It indicates containment for understanding scope of permissions and access control inheritance.

## Identification

### PowerShell (Az Module)

```powershell
Connect-AzAccount

# List all resources in a resource group
Get-AzResource -ResourceGroupName "<RGName>" |
    Select-Object Name, ResourceType, ResourceGroupName, Location |
    Format-Table -AutoSize

# List all resource groups in a subscription
Get-AzResourceGroup |
    Select-Object ResourceGroupName, Location, ProvisioningState |
    Format-Table -AutoSize

```

### Azure GUI

1. Open **Azure Portal** → **Resource groups**.
2. Select the target Resource Group.
3. View all contained resources in the **Overview** or **Resources** blade.

## Exploitation

There is no direct exploit for this edge. It represents a containment relationship.

However, understanding resource group membership is critical for:

| Scenario                      | Impact                                                                                        |
| ----------------------------- | --------------------------------------------------------------------------------------------- |
| **Compromised RG-level role** | All resources in the RG are affected (e.g., Owner on RG = Owner on all VMs, Key Vaults, etc.) |
| **Lateral movement planning** | Knowing which resources are co-located helps plan lateral movement paths                      |
| **Blast radius assessment**   | Evaluate the impact of a compromised identity by tracing its RG-scoped assignments            |

> **Related Attack Paths:**
>
> * [AZ\_ARM\_OWNER](https://docs.forestall.io/fsprotect/edges/azure/az_arm_owner) — Owner at RG scope inherits to all contained resources.
> * [AZ\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_contributor) — Contributor at RG scope inherits to all contained resources.
> * [AZ\_PARENT\_SUBSCRIPTION](https://docs.forestall.io/fsprotect/edges/azure/az_parent_subscription) — Resource Groups themselves belong to Subscriptions.

## Mitigation

* **Organize resources thoughtfully** — group resources with similar security requirements and access patterns.
* **Minimize broad role assignments at RG level** — prefer resource-level assignments where possible.
* **Use resource locks** — apply **CanNotDelete** or **ReadOnly** locks on critical resource groups.
* **Review RBAC assignments at RG scope** — regularly audit who has access at the resource group level.

## Detection

This edge represents a static structural relationship. Monitor for:

* New resources added to sensitive resource groups.
* Role assignments at the resource group scope.
* Resource group creation/deletion.

## References

* <https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/overview>
* <https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_parent_resource_group.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.