Azure AD escalation from Global Administrator to User Access Administrator

azure

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the azure integration.

Goal

Detect when a Global Administrator elevates their Azure Active Directory permissions to User Access Administrator in Azure RBAC. This may indicate an attacker with Azure Active Directory privileges is seeking to gain control over Azure resources.

Strategy

Monitor Azure Active Directory audit logs for the following events:

  • User has elevated their access to User Access Administrator for their Azure Resources

Triage and Response

  1. Verify if this activity is associated with expected administrator activities.
  2. If not, investigate activity by the account associated with this alert ({{@usr.id}}) around the time of this event, including any permissions modifications made to Azure RBAC assignments.