services / Azure / Management groups

Management groups are tenant-scope governance containers above subscriptions that organize the subscription hierarchy and provide the scopes through which Azure Policy and RBAC role assignments are inherited.

The management-group hierarchy defines tenant-wide governance structure; control over it has org-wide blast radius.


Microsoft.​Management/​managementGroups/​delete

Deleting a management group destroys a tenant-wide governance container and removes the RBAC role assignments, policies, and locks scoped to it, disrupting governance (DoS-like) and denying authorized operational access that depended on that scope.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Management
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog