# PARENT\_TENANT

## Summary

|                            |                |
| -------------------------- | -------------- |
| **FSProtect ACL Alias**    | PARENT\_TENANT |
| **Affected Object Types**  | All Objects    |
| **Exploitation Certainty** | Unlikely       |

## Description

`PARENT_TENANT` represents that an object (user, group, application, service principal, device, etc.) belongs to a specific Microsoft Entra ID tenant. This edge shows the relationship where **Object X belongs to Tenant Y**.

The tenant serves as the organizational boundary containing all identity objects. Every user, group, application, and service principal exists within exactly one tenant.

However, the `PARENT_TENANT` relationship itself does not represent a direct exploitable permission. It indicates which tenant an object belongs to for understanding scope of permissions and administrative control.

## Identification

You can identify objects and their parent tenant with these scripts:

```powershell
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "Application.Read.All"

$tenantId = (Get-MgContext).TenantId

# Get all users and their parent tenant
Get-MgUser -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all groups and their parent tenant
Get-MgGroup -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all applications and their parent tenant
Get-MgApplication -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize

# Get all service principals and their parent tenant
Get-MgServicePrincipal -All | Select-Object DisplayName, Id, @{N='ParentTenantId';E={$tenantId}} | Format-Table -AutoSize
```

## Exploitation

There is no practical exploit path for this edge. It indicates which tenant an object belongs to but does not allow creation, modification, or deletion of any objects.

## Mitigation

No specific mitigation is required, as this edge does not represent a vulnerability.

## Detection

This edge represents a static relationship (object membership in a tenant). Objects cannot be moved between tenants, so there are no specific detection requirements.

## References

* <https://learn.microsoft.com/en-us/powershell/module/az.accounts/get-aztenant>
* <https://learn.microsoft.com/en-us/entra/fundamentals/whatis>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/parent_tenant.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.