User Removed From Group With CA Policy Modification Access

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on group membership removal of groups that have CA policy modification access

Sigma rule (View on GitHub)

 1title: User Removed From Group With CA Policy Modification Access
 2id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
 3status: test
 4description: Monitor and alert on group membership removal of groups that have CA policy modification access
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
 7author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
 8date: 2022-08-04
 9tags:
10    - attack.privilege-escalation
11    - attack.credential-access
12    - attack.defense-evasion
13    - attack.persistence
14    - attack.t1548
15    - attack.t1556
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        properties.message: Remove member from group
22    condition: selection
23falsepositives:
24    - User removed from the group is approved
25level: medium

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Learn how to monitor and alert on infrastructure components to identify security threats.

Read More

User Removed From Group With CA Policy Modification Access

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for infrastructure - Microsoft Entra

Related rules