Microsoft 365 Global Administrator Role Assigned

Last updated 15 days ago on 2025-05-21

Created 3 years ago on 2022-01-06

About

In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.

Tags

Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-o365.audit-*
Related Integrations: o365(opens in a new tab or window)
Query

event.dataset:o365.audit
    and event.code:"AzureActiveDirectory"
    and event.action:"Add member to role."
    and event.outcome: "success"
    and o365.audit.ModifiedProperties.Role_DisplayName.NewValue: (
        "Global Administrator" or "Company Administrator"
    )
    and o365.audit.AzureActiveDirectoryEventType: 1
    and o365.audit.RecordType: 8
    and not o365.audit.Target.Type: (4 or 5 or 6)

Install detection rules in Elastic Security

Detect Microsoft 365 Global Administrator Role Assigned in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).