User Added to an Administrator's Azure AD Role

User Added to an Administrator's Azure AD Role

Sigma rule (View on GitHub)

 1title: User Added to an Administrator's Azure AD Role
 2id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
 3status: test
 4description: User Added to an Administrator's Azure AD Role
 5references:
 6    - https://web.archive.org/web/20250904191633/https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
 7    - https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/
 8    - https://analyticsrules.exchange/analyticrules/2a09f8cb-deb7-4c40-b08b-9137667f1c0b/
 9    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
10author: Raphaël CALVET, @MetallicHack
11date: 2021-10-04
12modified: 2026-04-30
13tags:
14    - attack.initial-access
15    - attack.persistence
16    - attack.privilege-escalation
17    - attack.stealth
18    - attack.t1098.003
19    - attack.t1078
20logsource:
21    product: azure
22    service: auditlogs
23detection:
24    selection:
25        operationName: 'Add member to role'
26        properties.targetResources|contains:
27            - 'Admins'
28            - 'Administrator'
29    condition: selection
30falsepositives:
31    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
32level: medium

References

Related rules

to-top