Azure RBAC Built-In Administrator Roles Assigned
Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/09/15"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/09/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.
11"""
12from = "now-9m"
13index = ["filebeat-*", "logs-azure.activitylogs-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Azure RBAC Built-In Administrator Roles Assigned"
17note = """## Triage and Analysis
18
19### Investigating Azure RBAC Built-In Administrator Roles Assigned
20
21This rule identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator. Assignment can be done via the Azure portal, Azure CLI, PowerShell, or through API calls. Monitoring these assignments helps detect potential unauthorized privilege escalations.
22
23#### Privileged Built-In Administrator Roles
24- Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c
25- Owner: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
26- Azure File Sync Administrator: 92b92042-07d9-4307-87f7-36a593fc5850
27- Reservations Administrator: a8889054-8d42-49c9-bc1c-52486c10e7cd
28- Role Based Access Control Administrator: f58310d9-a9f6-439a-9e8d-f62e7b41a168
29- User Access Administrator: 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
30
31### Possible investigation steps
32
33- Identify the user who assigned the role and examine their recent activity for any suspicious actions.
34- Review the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
35- Check the history of role assignments for the user who was assigned the role to determine if this is a recurring pattern or a one-time event.
36 - Additionally, identify the lifetime of the targeted user account to determine if it is a newly created account or an existing one.
37- Determine if the user assigning the role historically has the necessary permissions to assign such roles and has done so in the past.
38- Investigate any recent changes or activities performed by the newly assigned administrator to identify any suspicious actions or configurations that may have been altered.
39- Correlate with other logs, such as Microsoft Entra ID sign-in logs, to identify any unusual access patterns or behaviors for the user.
40
41### False positive analysis
42
43- Legitimate administrators may assign built-in administrator roles during routine operations, maintenance or as required for onboarding new staff.
44- Review internal tickets, change logs, or admin activity dashboards for approved operations.
45
46### Response and remediation
47
48- If administrative assignment was not authorized:
49 - Immediately remove the built-in administrator role from the account.
50 - Disable or lock the account and begin credential rotation.
51 - Audit activity performed by the account after elevation, especially changes to role assignments and resource access.
52- If suspicious:
53 - Notify the user and confirm whether they performed the action.
54 - Check for any automation or scripts that could be exploiting unused elevated access paths.
55 - Review conditional access and PIM (Privileged Identity Management) configurations to limit elevation without approval.
56- Strengthen posture:
57 - Require MFA and approval for all privilege escalation actions.
58 - Consider enabling JIT (Just-in-Time) access with expiration.
59"""
60references = [
61 "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
62 "https://orca.security/resources/research-pod/azure-identity-access-management-iam-active-directory-ad/",
63 "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/"
64]
65risk_score = 73
66rule_id = "1a1046f4-9257-11f0-9a42-f661ea17fbce"
67severity = "high"
68tags = [
69 "Domain: Cloud",
70 "Data Source: Azure",
71 "Data Source: Azure Activity Logs",
72 "Use Case: Identity and Access Audit",
73 "Tactic: Privilege Escalation",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset: azure.activitylogs and
81 event.action: "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" and
82 azure.activitylogs.properties.requestbody.properties.roleDefinitionId:
83 (
84 *18d7d88d-d35e-4fb5-a5c3-7773c20a72d9* or
85 *f58310d9-a9f6-439a-9e8d-f62e7b41a168* or
86 *b24988ac-6180-42a0-ab88-20f7382dd24c* or
87 *8e3af657-a8ff-443c-a75c-2fe8c4bcb635* or
88 *92b92042-07d9-4307-87f7-36a593fc5850* or
89 *a8889054-8d42-49c9-bc1c-52486c10e7cd*
90 )
91'''
92
93
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1098"
98name = "Account Manipulation"
99reference = "https://attack.mitre.org/techniques/T1098/"
100[[rule.threat.technique.subtechnique]]
101id = "T1098.003"
102name = "Additional Cloud Roles"
103reference = "https://attack.mitre.org/techniques/T1098/003/"
104
105
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and Analysis
Investigating Azure RBAC Built-In Administrator Roles Assigned
This rule identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator. Assignment can be done via the Azure portal, Azure CLI, PowerShell, or through API calls. Monitoring these assignments helps detect potential unauthorized privilege escalations.
Privileged Built-In Administrator Roles
- Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c
- Owner: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
- Azure File Sync Administrator: 92b92042-07d9-4307-87f7-36a593fc5850
- Reservations Administrator: a8889054-8d42-49c9-bc1c-52486c10e7cd
- Role Based Access Control Administrator: f58310d9-a9f6-439a-9e8d-f62e7b41a168
- User Access Administrator: 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
Possible investigation steps
- Identify the user who assigned the role and examine their recent activity for any suspicious actions.
- Review the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
- Check the history of role assignments for the user who was assigned the role to determine if this is a recurring pattern or a one-time event.
- Additionally, identify the lifetime of the targeted user account to determine if it is a newly created account or an existing one.
- Determine if the user assigning the role historically has the necessary permissions to assign such roles and has done so in the past.
- Investigate any recent changes or activities performed by the newly assigned administrator to identify any suspicious actions or configurations that may have been altered.
- Correlate with other logs, such as Microsoft Entra ID sign-in logs, to identify any unusual access patterns or behaviors for the user.
False positive analysis
- Legitimate administrators may assign built-in administrator roles during routine operations, maintenance or as required for onboarding new staff.
- Review internal tickets, change logs, or admin activity dashboards for approved operations.
Response and remediation
- If administrative assignment was not authorized:
- Immediately remove the built-in administrator role from the account.
- Disable or lock the account and begin credential rotation.
- Audit activity performed by the account after elevation, especially changes to role assignments and resource access.
- If suspicious:
- Notify the user and confirm whether they performed the action.
- Check for any automation or scripts that could be exploiting unused elevated access paths.
- Review conditional access and PIM (Privileged Identity Management) configurations to limit elevation without approval.
- Strengthen posture:
- Require MFA and approval for all privilege escalation actions.
- Consider enabling JIT (Just-in-Time) access with expiration.
References
Related rules
- Entra ID Actor Token User Impersonation Abuse
- Azure Kubernetes Rolebindings Created
- Microsoft Entra ID Elevated Access to User Access Administrator
- BloodHound Suite User-Agents Detected
- Azure Storage Account Blob Public Access Enabled