Entra ID Global Administrator Role Assigned

Last updated 7 days ago on 2025-09-26
Created 4 years ago on 2022-01-06

About

In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Microsoft Entra ID and services that use Microsoft Entra ID identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. They can also elevate privilege to User Access Administrator to pivot into Azure resources.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.auditlogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset:azure.auditlogs and
    azure.auditlogs.properties.category:RoleManagement and
    azure.auditlogs.operation_name:"Add member to role" and
    azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: "\"Global Administrator\""

Install detection rules in Elastic Security

Detect Entra ID Global Administrator Role Assigned in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).