---
title: Azure administrative unit modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Azure administrative unit modified
---

# Azure administrative unit modified

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detects the modification of Entra ID (Azure AD) Administrative Units (AUs). The modification of AUs may indicate suspicious activity if an environment is not utilizing AUs.

## Strategy{% #strategy %}

Monitor Azure Active Directory logs for `@properties.category:AdministrativeUnit` and `(@evt.name:"Update administrative unit" OR @evt.name:"Restore administrative unit" OR @evt.name:"Delete administrative unit" OR @evt.name:"Hard delete administrative unit")` where the event is not a restricted administrative unit.

## Triage and response{% #triage-and-response %}

1. Review if administrative units are used by the organization.
1. Review evidence of anomalous activity for the user modifying an administrative unit.
1. Determine if there is a legitimate reason for the user modifying an administrative unit.