PARENT_TENANT

Summary

FSProtect ACL Alias

PARENT_TENANT

Affected Object Types

All Objects

Exploitation Certainty

Unlikely

Description

PARENT_TENANT represents that an object (user, group, application, service principal, device, etc.) belongs to a specific Microsoft Entra ID tenant. This edge shows the relationship where Object X belongs to Tenant Y.

The tenant serves as the organizational boundary containing all identity objects. Every user, group, application, and service principal exists within exactly one tenant.

However, the PARENT_TENANT relationship itself does not represent a direct exploitable permission. It indicates which tenant an object belongs to for understanding scope of permissions and administrative control.

Identification

You can identify objects and their parent tenant with these scripts:

Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "Application.Read.All"

$tenantId = (Get-MgContext).TenantId

# Get all users and their parent tenant
Get-MgUser -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all groups and their parent tenant
Get-MgGroup -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all applications and their parent tenant
Get-MgApplication -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all service principals and their parent tenant
Get-MgServicePrincipal -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

Exploitation

There is no practical exploit path for this edge. It indicates which tenant an object belongs to but does not allow creation, modification, or deletion of any objects.

Mitigation

No specific mitigation is required, as this edge does not represent a vulnerability.

Detection

This edge represents a static relationship (object membership in a tenant). Objects cannot be moved between tenants, so there are no specific detection requirements.

References

PreviousAZ_SECURITY_ADMIN

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagExploitation

hashtagMitigation

hashtagDetection

hashtagReferences