▲ 7 r/entra
Restricted Management AUs in Entra ID: two undocumented paths that actually work
RMAU scenario's that should't be possible, i've made a very detailed article on LinkedIn with different scenario's that shouldn't be possible when looking at Microsofts documentation.
TL;DR
Restricted Management Administrative Units(isMemberManagementRestricted: true) block any principal without an AU-scoped role from mutating their members. That includes a service principal holdingApplication.ReadWrite.All.- Two configurations the design relies on aren't on Microsoft's supported list: applications and their service principals as RMAU members, and
Application Administratorscoped to an AU. Microsoft Graph accepts both. - A third unsupported configuration lets Entitlement Management write to groups inside an RMAU, via a one-action custom role granted at the RMAU scope to the right governance SPs. This is what makes the standard access-package delivery flow work into protected groups.
Any service principal holding Application.ReadWrite.All can mutate every app registration and service principal in your tenant. RMAUs contain that, even when the design relies on two configurations Microsoft's docs don't acknowledge.
If your tenant has identities that can't be tampered with (pipeline service principals, customer-facing OAuth apps, identity-bridge SPs), the rest of this article will be relevant. Everything below is reproducible against your own tenant with az rest.
u/rohgin — 4 days ago