Microsoft 365 Global Administrator Role Assigned

  1[metadata]
  2creation_date = "2022/01/06"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator
 11is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID
 12identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
 13Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all
 14subscriptions and their settings and resources.
 15"""
 16from = "now-9m"
 17index = ["filebeat-*", "logs-o365.audit-*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Microsoft 365 Global Administrator Role Assigned"
 21note = """## Triage and Analysis
 22
 23### Investigating Microsoft 365 Global Administrator Role Assigned
 24
 25The Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsoft 365 Defender, Exchange, SharePoint, and Skype for Business. Adversaries who compromise an account may assign this role to themselves or other users to ensure persistent and privileged access. This rule identifies successful assignments of this role by inspecting audit logs from Azure Active Directory (Entra ID) where the role display name matches "Administrator."
 26
 27### Possible investigation steps
 28
 29- Review the `user.id` and `user.name` fields to determine who performed the role assignment. Assess whether this user normally has permissions to modify high-privilege roles.
 30- Confirm the `event.action` is `"Add member to role."` and that the `Role_DisplayName.NewValue` is `"Global Administrator"` or a similarly privileged role.
 31- Review the `user.target.id` and `user.target.name` fields to identify the user or service principal that received the role.
 32- Inspect `o365.audit.ExtendedProperties.additionalDetails` for context on how the action was performed (e.g., via Admin Portal, Graph API).
 33- Pivot to sign-in logs for the assigning account to check for recent anomalies such as logins from new geolocations, unrecognized devices, or suspicious IP ranges.
 34- Investigate if the account assignment occurred outside of known change windows, during non-business hours, or by a user with no change history.
 35- Correlate with other role assignments or directory changes to check for broader role abuse or privilege escalation campaigns.
 36
 37### False positive analysis
 38
 39- Role assignments by IT administrators as part of routine maintenance or incident response may appear suspicious in environments without change tracking or ticket correlation.
 40- PIM (Privileged Identity Management) activations may temporarily elevate accounts to Global Administrator and then revoke the role afterward.
 41- Onboarding processes or internal audits may require temporary elevation to Global Administrator for legitimate users.
 42- Automation tools and scripts may trigger this alert if misconfigured to assign Global Administrator privileges during provisioning or sync jobs.
 43
 44### Response and remediation
 45
 46- If the assignment is unapproved or suspicious, immediately revoke the Global Administrator role from the assigned user or service principal.
 47- Reset credentials and initiate containment steps for the assigning account, especially if compromise is suspected.
 48- Enable or verify enforcement of MFA for both assigning and assigned accounts.
 49- Review Azure AD activity logs for additional signs of privilege misuse or suspicious directory changes.
 50- Notify the appropriate identity and security operations teams to investigate further and begin incident response procedures.
 51- Limit the number of Global Administrator accounts and enforce role-based access control (RBAC) using least privilege principles.
 52- Consider implementing conditional access policies to limit role assignment actions to specific networks, devices, or user groups.
 53"""
 54
 55references = [
 56    "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
 57    "https://learn.microsoft.com/en-us/purview/audit-log-activities",
 58    "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231"
 59]
 60risk_score = 47
 61rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb"
 62severity = "medium"
 63tags = [
 64    "Domain: Cloud",
 65    "Domain: SaaS",
 66    "Data Source: Microsoft 365",
 67    "Data Source: Microsoft 365 Audit Logs",
 68    "Use Case: Identity and Access Audit",
 69    "Tactic: Persistence",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "query"
 74
 75query = '''
 76event.dataset:o365.audit
 77    and event.code:"AzureActiveDirectory"
 78    and event.action:"Add member to role."
 79    and event.outcome: "success"
 80    and o365.audit.ModifiedProperties.Role_DisplayName.NewValue: (
 81        "Global Administrator" or "Company Administrator"
 82    )
 83    and o365.audit.AzureActiveDirectoryEventType: 1
 84    and o365.audit.RecordType: 8
 85    and not o365.audit.Target.Type: (4 or 5 or 6)
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1098"
 93name = "Account Manipulation"
 94reference = "https://attack.mitre.org/techniques/T1098/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1098.003"
 97name = "Additional Cloud Roles"
 98reference = "https://attack.mitre.org/techniques/T1098/003/"
 99
100
101
102[rule.threat.tactic]
103id = "TA0003"
104name = "Persistence"
105reference = "https://attack.mitre.org/tactics/TA0003/"