Azure AD Global Administrator Role Assigned
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/06"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
11is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
12identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
13Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
14subscriptions and their settings and resources.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Azure AD Global Administrator Role Assigned"
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating Azure AD Global Administrator Role Assigned
27
28Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches.
29
30### Possible investigation steps
31
32- Review the Azure audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name.
33- Verify the identity of the user added to the Global Administrator role by examining the modified properties in the audit logs, specifically the new_value field indicating "Global Administrator".
34- Check the history of role assignments for the identified user to determine if this is a recurring pattern or a one-time event.
35- Investigate the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
36- Review any recent changes or activities performed by the newly assigned Global Administrator to identify any suspicious actions or configurations that may have been altered.
37- Consult with the organization's IT or security team to confirm if the role assignment was authorized and aligns with current administrative needs or projects.
38
39### False positive analysis
40
41- Routine administrative tasks may trigger alerts when legitimate IT staff are assigned the Global Administrator role temporarily for maintenance or configuration purposes. To manage this, create exceptions for known IT personnel or scheduled maintenance windows.
42- Automated scripts or third-party applications that require elevated permissions might be flagged if they are configured to add users to the Global Administrator role. Review and whitelist these scripts or applications if they are verified as safe and necessary for operations.
43- Organizational changes, such as mergers or restructuring, can lead to legitimate role assignments that appear suspicious. Implement a review process to verify these changes and exclude them from triggering alerts if they align with documented organizational changes.
44- Training or onboarding sessions for new IT staff might involve temporary assignment to the Global Administrator role. Establish a protocol to document and exclude these training-related assignments from detection alerts.
45
46### Response and remediation
47
48- Immediately remove any unauthorized users from the Global Administrator role to prevent further unauthorized access and control over Azure AD resources.
49- Conduct a thorough review of recent audit logs to identify any additional unauthorized changes or suspicious activities associated with the compromised account or role assignments.
50- Reset the credentials of the affected accounts and enforce multi-factor authentication (MFA) to enhance security and prevent further unauthorized access.
51- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
52- Implement conditional access policies to restrict Global Administrator role assignments to specific, trusted locations or devices.
53- Review and update role assignment policies to ensure that only a limited number of trusted personnel have the ability to assign Global Administrator roles.
54- Enhance monitoring and alerting mechanisms to detect similar unauthorized role assignments in the future, ensuring timely response to potential threats.
55
56## Setup
57
58The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
59references = [
60 "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
61]
62risk_score = 47
63rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
64severity = "medium"
65tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"]
66timestamp_override = "event.ingested"
67type = "query"
68
69query = '''
70event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
71azure.auditlogs.operation_name:"Add member to role" and
72azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\""
73'''
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1098"
80name = "Account Manipulation"
81reference = "https://attack.mitre.org/techniques/T1098/"
82[[rule.threat.technique.subtechnique]]
83id = "T1098.003"
84name = "Additional Cloud Roles"
85reference = "https://attack.mitre.org/techniques/T1098/003/"
86
87
88
89[rule.threat.tactic]
90id = "TA0003"
91name = "Persistence"
92reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Azure AD Global Administrator Role Assigned
Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches.
Possible investigation steps
- Review the Azure audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name.
- Verify the identity of the user added to the Global Administrator role by examining the modified properties in the audit logs, specifically the new_value field indicating "Global Administrator".
- Check the history of role assignments for the identified user to determine if this is a recurring pattern or a one-time event.
- Investigate the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
- Review any recent changes or activities performed by the newly assigned Global Administrator to identify any suspicious actions or configurations that may have been altered.
- Consult with the organization's IT or security team to confirm if the role assignment was authorized and aligns with current administrative needs or projects.
False positive analysis
- Routine administrative tasks may trigger alerts when legitimate IT staff are assigned the Global Administrator role temporarily for maintenance or configuration purposes. To manage this, create exceptions for known IT personnel or scheduled maintenance windows.
- Automated scripts or third-party applications that require elevated permissions might be flagged if they are configured to add users to the Global Administrator role. Review and whitelist these scripts or applications if they are verified as safe and necessary for operations.
- Organizational changes, such as mergers or restructuring, can lead to legitimate role assignments that appear suspicious. Implement a review process to verify these changes and exclude them from triggering alerts if they align with documented organizational changes.
- Training or onboarding sessions for new IT staff might involve temporary assignment to the Global Administrator role. Establish a protocol to document and exclude these training-related assignments from detection alerts.
Response and remediation
- Immediately remove any unauthorized users from the Global Administrator role to prevent further unauthorized access and control over Azure AD resources.
- Conduct a thorough review of recent audit logs to identify any additional unauthorized changes or suspicious activities associated with the compromised account or role assignments.
- Reset the credentials of the affected accounts and enforce multi-factor authentication (MFA) to enhance security and prevent further unauthorized access.
- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
- Implement conditional access policies to restrict Global Administrator role assignments to specific, trusted locations or devices.
- Review and update role assignment policies to ensure that only a limited number of trusted personnel have the ability to assign Global Administrator roles.
- Enhance monitoring and alerting mechanisms to detect similar unauthorized role assignments in the future, ensuring timely response to potential threats.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Automation Account Created
- Azure Global Administrator Role Addition to PIM User
- Azure Privilege Identity Management Role Modified
- Multi-Factor Authentication Disabled for an Azure User
- AWS IAM Create User via Assumed Role on EC2 Instance