Azure restricted management administrative unit created
Set up the azure integration.
Detect creation of Entra ID (Azure AD) restricted management Administrative Units (AUs). Restricted AUs prevent any user without a specific scoped role assignment from modifying target users who are members of a restricted management AU. This can impact user containment during sensitive incidents if not intentionally configured by the IT team, and may indicate malicious activity.
Monitor Azure Active Directory logs for @properties.category:AdministrativeUnit and @evt.name:"Add administrative unit" where the event includes a restricted administrative unit.
- Review if restricted administrative units are used by the organization.
- Review evidence of anomalous activity for the user creating a restricted administrative unit.
- Determine if there is a legitimate reason for the user creating a restricted administrative unit.
