---
title: Azure restricted management administrative unit created
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Azure restricted management
  administrative unit created
---

# Azure restricted management administrative unit created

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect creation of Entra ID (Azure AD) restricted management Administrative Units (AUs). Restricted AUs prevent any user without a specific scoped role assignment from modifying target users who are members of a restricted management AU. This can impact user containment during sensitive incidents if not intentionally configured by the IT team, and may indicate malicious activity.

## Strategy{% #strategy %}

Monitor Azure Active Directory logs for `@properties.category:AdministrativeUnit` and `@evt.name:"Add administrative unit"` where the event includes a restricted administrative unit.

## Triage and response{% #triage-and-response %}

1. Review if restricted administrative units are used by the organization.
1. Review evidence of anomalous activity for the user creating a restricted administrative unit.
1. Determine if there is a legitimate reason for the user creating a restricted administrative unit.