Users Added to Global or Device Admin Roles

Oct 23, 2025 · attack.persistence attack.initial-access attack.defense-evasion attack.privilege-escalation attack.t1078.004 ·

Share on:

Monitor and alert for users added to device admin roles.

Sigma rule (View on GitHub)

 1title: Users Added to Global or Device Admin Roles
 2id: 11c767ae-500b-423b-bae3-b234450736ed
 3status: test
 4description: Monitor and alert for users added to device admin roles.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
 7author: Michael Epping, '@mepples21'
 8date: 2022-06-28
 9tags:
10    - attack.persistence
11    - attack.initial-access
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        Category: RoleManagement
21        OperationName|contains|all:
22            - 'Add'
23            - 'member to role'
24        TargetResources|contains:
25            - '7698a772-787b-4ac8-901f-60d6b08affd2'
26            - '62e90394-69f5-4237-9190-012177145e10'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Microsoft Entra security operations for devices - Microsoft Entra

Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.

Read More

Users Added to Global or Device Admin Roles

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for devices - Microsoft Entra

Related rules