User Added To Privilege Role

Oct 23, 2025 · attack.persistence attack.initial-access attack.privilege-escalation attack.defense-evasion attack.t1078.004 ·

Share on:

Detects when a user is added to a privileged role.

Sigma rule (View on GitHub)

 1title: User Added To Privilege Role
 2id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
 3status: test
 4description: Detects when a user is added to a privileged role.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-06
 9tags:
10    - attack.persistence
11    - attack.initial-access
12    - attack.privilege-escalation
13    - attack.defense-evasion
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        properties.message:
21            - Add eligible member (permanent)
22            - Add eligible member (eligible)
23    condition: selection
24falsepositives:
25    - Legtimate administrator actions of adding members from a role
26level: high

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

Read More

User Added To Privilege Role

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Related rules