Azure Subscription Permission Elevation Via AuditLogs

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078 ·

Share on:

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Sigma rule (View on GitHub)

 1title: Azure Subscription Permission Elevation Via AuditLogs
 2id: ca9bf243-465e-494a-9e54-bf9fc239057d
 3status: test
 4description: |
 5    Detects when a user has been elevated to manage all Azure Subscriptions.
 6    This change should be investigated immediately if it isn't planned.
 7    This setting could allow an attacker access to Azure subscriptions in your environment.    
 8references:
 9    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
10author: Austin Songer @austinsonger
11date: 2021-11-26
12modified: 2022-12-25
13tags:
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.defense-evasion
17    - attack.initial-access
18    - attack.t1078
19logsource:
20    product: azure
21    service: auditlogs
22detection:
23    selection:
24        Category: 'Administrative'
25        OperationName: 'Assigns the caller to user access admin'
26    condition: selection
27falsepositives:
28    - If this was approved by System Administrator.
29level: high

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.

Read More

Azure Subscription Permission Elevation Via AuditLogs

Sigma rule (View on GitHub)

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Related rules