PARENT_TENANT

Summary

Description

PARENT_TENANT represents that an object (user, group, application, service principal, device, etc.) belongs to a specific Microsoft Entra ID tenant. This edge shows the relationship where Object X belongs to Tenant Y.

The tenant serves as the organizational boundary containing all identity objects. Every user, group, application, and service principal exists within exactly one tenant.

However, the PARENT_TENANT relationship itself does not represent a direct exploitable permission. It indicates which tenant an object belongs to for understanding scope of permissions and administrative control.

Identification

Use the following PowerShell commands to identify objects and their parent tenant:

Connect-AzAccount

$tenantId = (Get-AzContext).Tenant.Id

# Get all users and their parent tenant
Get-AzADUser | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all groups and their parent tenant
Get-AzADGroup | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all applications and their parent tenant
Get-AzADApplication | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all service principals and their parent tenant
Get-AzADServicePrincipal | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

Exploitation

Mitigation

Detection

References