Invalid PIM License

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1078 attack.persistence attack.privilege-escalation ·

Share on:

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Sigma rule (View on GitHub)

 1title: Invalid PIM License
 2id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
 3status: test
 4description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: azure
17    service: pim
18detection:
19    selection:
20        riskEventType: 'invalidLicenseAlertIncident'
21    condition: selection
22falsepositives:
23    - Investigate if licenses have expired.
24level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Invalid PIM License

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules