services / Azure / Management groups
Management groups are tenant-scope governance containers above subscriptions that organize the subscription hierarchy and provide the scopes through which Azure Policy and RBAC role assignments are inherited.
The management-group hierarchy defines tenant-wide governance structure; control over it has org-wide blast radius.
Microsoft.Management/managementGroups/write
Creating or updating a management group can re-parent subscriptions/groups and restructure the hierarchy, altering which RBAC role assignments and Azure Policy are inherited — enabling privilege escalation and weakening of inherited controls (manipulation of org-wide governance).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security