Roles Are Not Being Used

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1078 attack.persistence attack.privilege-escalation ·

Share on:

Identifies when a user has been assigned a privilege role and are not using that role.

Sigma rule (View on GitHub)

 1title: Roles Are Not Being Used
 2id: 8c6ec464-4ae4-43ac-936a-291da66ed13d
 3status: test
 4description: Identifies when a user has been assigned a privilege role and are not using that role.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: azure
17    service: pim
18detection:
19    selection:
20        riskEventType: 'redundantAssignmentAlertIncident'
21    condition: selection
22falsepositives:
23    - Investigate if potential generic account that cannot be removed.
24level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Roles Are Not Being Used

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules