User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
Sigma rule (View on GitHub)
1title: User Added to an Administrator's Azure AD Role
2id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
3status: test
4description: User Added to an Administrator's Azure AD Role
5references:
6 - https://web.archive.org/web/20250904191633/https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
7 - https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/
8 - https://analyticsrules.exchange/analyticrules/2a09f8cb-deb7-4c40-b08b-9137667f1c0b/
9 - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
10author: Raphaël CALVET, @MetallicHack
11date: 2021-10-04
12modified: 2026-04-30
13tags:
14 - attack.initial-access
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.stealth
18 - attack.t1098.003
19 - attack.t1078
20logsource:
21 product: azure
22 service: auditlogs
23detection:
24 selection:
25 operationName: 'Add member to role'
26 properties.targetResources|contains:
27 - 'Admins'
28 - 'Administrator'
29 condition: selection
30falsepositives:
31 - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
32level: medium
References
Related rules
- AWS Key Pair Import Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address