services / Azure / Management groups
Management groups are tenant-scope governance containers above subscriptions that organize the subscription hierarchy and provide the scopes through which Azure Policy and RBAC role assignments are inherited.
The management-group hierarchy defines tenant-wide governance structure; control over it has org-wide blast radius.
Microsoft.Management/managementGroups/delete
Deleting a management group destroys a tenant-wide governance container and removes the RBAC role assignments, policies, and locks scoped to it, disrupting governance (DoS-like) and denying authorized operational access that depended on that scope.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security