User Added to an Administrator's Azure AD Role

 1title: User Added to an Administrator's Azure AD Role
 2id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
 3status: test
 4description: User Added to an Administrator's Azure AD Role
 5references:
 6    - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
 7author: Raphaël CALVET, @MetallicHack
 8date: 2021/10/04
 9modified: 2022/10/09
10tags:
11    - attack.persistence
12    - attack.privilege_escalation
13    - attack.t1098.003
14    - attack.t1078
15logsource:
16    product: azure
17    service: activitylogs
18detection:
19    selection:
20        Operation: 'Add member to role.'
21        Workload: 'AzureActiveDirectory'
22        ModifiedProperties{}.NewValue|endswith:
23            - 'Admins'
24            - 'Administrator'
25    condition: selection
26falsepositives:
27    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
28level: medium

References

• What I have learned from doing a year of Cloud Forensics in Azure AD

  

  Today I would like to share my experience with doing Cloud forensics in Azure AD. I’ve been working for over a year with Azure Active Directory, and have primary focused on the different secu…

  
  Read More

Related rules

• Invalid PIM License
• Roles Activated Too Frequently
• Roles Activation Doesn't Require MFA
• Roles Are Not Being Used
• Roles Assigned Outside PIM