Roles Assigned Outside PIM

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1078 attack.persistence attack.privilege-escalation ·

Share on:

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Sigma rule (View on GitHub)

 1title: Roles Assigned Outside PIM
 2id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
 3status: test
 4description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: azure
17    service: pim
18detection:
19    selection:
20        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
21    condition: selection
22falsepositives:
23    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
24level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Roles Assigned Outside PIM

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules