# AZ\_PARTNER\_TIER2\_SUPPORT

> **WARNING**: This role is **deprecated**. Microsoft states: "Do not use - not intended for general use." Organizations should transition to Granular Delegated Admin Privileges (GDAP).

## Summary

|                               |                                                              |
| ----------------------------- | ------------------------------------------------------------ |
| **FSProtect ACL Alias**       | AZ\_PARTNER\_TIER2\_SUPPORT                                  |
| **Entra ID (Azure AD) Alias** | Partner Tier2 Support                                        |
| **Role Template ID**          | `e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8`                       |
| **Affected Object Types**     | Users, Service Principals, Groups, Domains, Role Assignments |
| **Exploitation Certainty**    | Certain                                                      |
| **Graph Permission / Role**   | Membership in the **Partner Tier2 Support** directory role   |

## Description

`AZ_PARTNER_TIER2_SUPPORT` represents the **Partner Tier2 Support** directory role in Microsoft Entra ID. This role was assigned to Microsoft Partner organizations through the Cloud Solution Provider (CSP) or Delegated Admin Privileges (DAP) programs.

**Capabilities of Partner Tier2 Support:**

* **Reset passwords for ALL users** including Global Administrators
* **Invalidate refresh tokens** for all users including admins
* **Full domain management** (create, delete, update domains)
* **Manage role assignments** (create/delete role assignments)
* **Manage user accounts** including creation, modification, and deletion
* **Manage groups and group memberships**
* **Update applications and credentials**
* **Create and manage OAuth permission grants**

**Partner Tier2 vs Tier1 Support:**

| Capability                                | Tier1  | Tier2   |
| ----------------------------------------- | ------ | ------- |
| Reset passwords for non-admins            | Yes    | Yes     |
| Reset passwords for admins (including GA) | **No** | **Yes** |
| Domain management                         | No     | Yes     |
| Role assignment management                | No     | Yes     |

**Security Implications:**

This role is extremely dangerous because:

* **Password reset for Global Admins**: One of very few roles that can reset GA passwords
* **External access**: The role is held by principals from an external partner tenant
* **Nation-state abuse**: NOBELIUM (APT29) abused DAP relationships to compromise multiple tenants
* **Cross-tenant trust**: Actions are performed by entities outside your organizational control
* **Persistence**: Partners may retain access even after business relationships end
* **Visibility gaps**: Partner actions may not be as visible in customer audit logs

## Identification

### PowerShell (Microsoft Graph)

**Find Partner Tier2 Support role assignments:**

```powershell
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"

# Partner Tier2 Support role template ID
$roleId = "e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8"

Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" -ExpandProperty Principal -ErrorAction SilentlyContinue | ForEach-Object {
    [PSCustomObject]@{
        PrincipalType = $_.Principal.AdditionalProperties.'@odata.type'.Split('.')[-1]
        DisplayName   = $_.Principal.AdditionalProperties.displayName
        PrincipalId   = $_.PrincipalId
        Scope         = $_.DirectoryScopeId
    }
} | Format-Table -AutoSize
```

**Check for all partner roles and GDAP relationships:**

```powershell
# Check both Partner Tier1 and Tier2
$partnerRoles = @{
    "4ba39ca4-527c-499a-b93d-d9b492c50246" = "Partner Tier1 Support"
    "e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8" = "Partner Tier2 Support"
}

$partnerRoles.Keys | ForEach-Object {
    $rid = $_; $rname = $partnerRoles[$_]
    Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$rid'" -ExpandProperty Principal -ErrorAction SilentlyContinue | ForEach-Object {
        [PSCustomObject]@{ Role = $rname; DisplayName = $_.Principal.AdditionalProperties.displayName; PrincipalId = $_.PrincipalId }
    }
} | Format-Table -AutoSize

# Check GDAP relationships
Connect-MgGraph -Scopes "DelegatedAdminRelationship.Read.All"
Get-MgTenantRelationshipDelegatedAdminRelationship | Select DisplayName,Status,Duration,EndDateTime | Format-Table -AutoSize
```

### Azure GUI

1. Open **Microsoft Entra admin center** -> **Roles & administrators**
2. Search for **Partner Tier2 Support**
3. Check **Assignments** for any active members
4. Also check **Partner relationships**:
   * Go to **Microsoft 365 Admin Center** -> **Settings** -> **Partner relationships**
   * Review all active partner access

## Exploitation

A compromised partner account with Tier2 Support can take over **any account in the tenant**, including Global Administrators.

> **Real-world abuse**: In 2021, NOBELIUM (APT29/Cozy Bear) targeted MSP/CSP partners and abused DAP relationships to pivot into multiple customer tenants.

### PowerShell (Microsoft Graph)

**Reset a Global Administrator's password:**

```powershell
Connect-MgGraph -Scopes "User.ReadWrite.All"

$targetUser = "globaladmin@contoso.com"
Update-MgUser -UserId $targetUser -BodyParameter @{
    passwordProfile = @{
        forceChangePasswordNextSignIn = $false
        password = "pass here"
    }
}
```

![Reset a Global Administrator's password](/files/7k2zZL8T7o2DPOMm7yGZ)

### Common Abuse Patterns

* Reset Global Admin password and lock out legitimate administrators
* Create new admin accounts for persistence
* Modify OAuth app permissions for data exfiltration
* Pivot from one compromised partner to multiple customer tenants

## Mitigation

* **Transition from DAP to GDAP**: Migrate to Granular Delegated Admin Privileges for time-bound, least-privilege access
  * Go to **Microsoft 365 Admin Center** -> **Settings** -> **Partner relationships**
  * Set maximum duration (recommend 90 days or less)
* **Review partner relationships regularly**:
  * Audit which partners have access to your tenant
  * Remove partner relationships no longer needed
  * Verify partner identity before approving GDAP requests
* **Never grant Partner Tier2 Support under GDAP**:
  * Use least-privilege roles (Helpdesk Administrator, User Administrator)
  * Avoid granting password reset capability over admin accounts
* **Monitor partner actions**:
  * Review audit logs for actions by partner accounts
  * Alert on password resets by external principals
  * Monitor cross-tenant sign-ins
* **Require MFA for partner access**: Ensure partners use phishing-resistant MFA

## Detection

Detect partner access and actions in **Audit logs**.

### PowerShell (Microsoft Graph)

```powershell
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Detect password resets - look for partner-initiated actions
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Reset password'" -Top 50 | 
    Select ActivityDateTime,ActivityDisplayName,
        @{N='Actor';E={$_.InitiatedBy.User.UserPrincipalName ?? $_.InitiatedBy.App.DisplayName}},
        @{N='ActorTenantId';E={$_.InitiatedBy.User.HomeTenantId}},
        @{N='Target';E={$_.TargetResources[0].UserPrincipalName}} | Format-Table -AutoSize

# Check for cross-tenant sign-ins (partner access)
Get-MgAuditLogSignIn -Filter "crossTenantAccessType eq 'serviceProvider'" -Top 50 |
    Select CreatedDateTime,UserPrincipalName,AppDisplayName,HomeTenantId,ResourceTenantId | Format-Table -AutoSize
```

### Azure GUI

* Go to **Microsoft Entra ID** -> **Audit logs**
* Filter by:
  * **Initiated by (actor)**: Look for external partner principals
  * **Activity**: Reset password, Update user, Add member to role

### Alert Criteria

* Password resets by Partner Tier2 Support accounts
* Password resets targeting administrator accounts
* User modifications by external principals
* New partner role assignments
* Cross-tenant sign-ins during unusual hours

## References

* <https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference>
* <https://learn.microsoft.com/en-us/partner-center/gdap-introduction>
* <https://learn.microsoft.com/en-us/microsoft-365/commerce/manage-partners>
* <https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_partner_tier2_support.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.