Vendors Microsoft Corporation Office 365 Azure AD Role Assignment

Azure AD Role Assignment

Add Member to Role - Privilege Escalation

Records Azure Active Directory role assignment operations, particularly additions to privileged roles like Global Administrator, which represent privilege escalation and potential security risks

azuread role-assignment privilege-escalation identity critical-security

JSON Format 32 Fields Low Frequency Generator

Preview Sample View Schema

Overview

Captures Azure Active Directory role assignment operations where users are added to administrative roles. Global Administrator assignments are the highest risk as they grant complete control over the tenant. This event is critical for detecting privilege escalation attacks and unauthorized administrative access.

When Generated:

Administrator assigns user to Azure AD administrative role
New administrator account provisioned with elevated privileges
Attacker escalates privileges via compromised admin account
Emergency administrative access granted
Privileged Identity Management (PIM) activation

Security Relevance:

Critical

Compliance:

NIST 800-53 (AC-2, AC-6, IA-4) PCI-DSS (Requirement 7 - Least Privilege) SOX (Access Controls) ISO 27001 (A.9.2 - User Access Management) CIS Controls (5.4 - Restrict Administrator Privileges)

Frequency Notes:

Very low frequency under normal operations (1 event/hour baseline). Role assignments should be rare, planned, and approved. Off-hours activity is extremely suspicious (5x night multiplier, 4x weekend). Global Administrator assignments require immediate investigation. Rapid successive assignments or assignments to newly created accounts are high-priority alerts.

Resources

Documentation

Office 365 Management Activity API Schema official
Azure AD Built-in Roles official
Privileged Identity Management (PIM) official
MITRE ATT&CK - Account Manipulation (T1098) reference

Tools

Microsoft 365 Defender
Native detection for suspicious role assignments and privilege escalation
Azure AD PowerShell
Query and manage Azure AD roles and assignments
Azure Sentinel
SIEM with built-in analytics for Azure AD privilege escalation

Generation Configuration

Base Frequency: 1 events/hour

Time Patterns:

business_hours night_hours

Business Hours Multiplier: 2.0x

Night Hours Multiplier: 5.0x

Weekend Multiplier: 4.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
CreationTime Source: now() \| iso8601	DateTime	Required	`ISO 8601`	Timestamp when the role assignment occurred	`2024-12-15T16:08:52Z`	—
Id Source: random_guid()	String	Required	`GUID`	Unique identifier for this audit record	`e7f8a9b0-c1d2-3e4f-5a6b-7c8d9e0f1a2b`	—
Operation Source: Static value 'Add member to role'	String	Required	—	Azure AD operation performed	`Add member to role`	—
OrganizationId Source: Derived from organization domain	String	Required	`GUID`	Microsoft 365 tenant identifier	`b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e`	—
RecordType Source: Static value 8	Integer	Required	—	Office 365 audit log record type (8 = AzureActiveDirectory)	`8`	`8` — AzureActiveDirectory - Azure AD events including role assignments
ResultStatus Source: random_choice(['Success', 'Success', 'Success', 'Failed'])	String	Required	—	Outcome of the role assignment operation	`Success`	`Success` — Role assignment completed successfully `Failed` — Role assignment failed (insufficient permissions or validation error)
UserKey Source: registry.get_random_user().email	String	Required	—	Unique identifier for the user who performed the role assignment	`admin@contoso.com`	—
UserType Source: random_choice([0, 2])	Integer	Required	—	Type of user performing the action	`2`	`0` — Regular user (unusual for role assignments) `2` — Administrator (expected)
Workload Source: Static value 'AzureActiveDirectory'	String	Required	—	Office 365 service where the operation occurred	`AzureActiveDirectory`	—
UserId Source: registry.get_random_user().email	String	Required	`Email/UPN`	User principal name of the administrator account	`admin@contoso.com`	—
ClientIP Source: random_choice([random_public_ip(), random_private_ip()])	String	Required	`IPv4`	IP address from which the operation was performed	`203.0.113.92`	—
ObjectId Source: User_ prefix with random_guid()	String	Required	—	Object identifier for the role assignment (User_GUID format)	`User_a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d`	—
Actor Source: Array with user ID and hex identifier	Array	Required	—	Array containing actor information (user performing the assignment)	—	—
Actor[].ID Source: User email or hex identifier	String	Required	—	Actor identifier (email or hex ID)	`admin@contoso.com`	—
Actor[].Type	Integer	Required	—	Actor type identifier	`0`	`0` — User principal `5` — Other identifier type
ActorContextId Source: Derived from organization domain	String	Required	`GUID`	Tenant context of the actor	`b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e`	—
ActorIpAddress Source: random_choice([random_public_ip(), random_private_ip()])	String	Required	`IPv4`	IP address of the actor	`203.0.113.92`	—
Target Source: Array with target user identifiers	Array	Required	—	Array containing target user information (user receiving the role)	—	—
Target[].ID Source: User email or User_GUID format	String	Required	—	Target user identifier	`newadmin@contoso.com`	—
Target[].Type	Integer	Required	—	Target type identifier	`2`	`2` — User object `5` — Other identifier type
ApplicationId Source: Known Azure AD application GUIDs	String	Required	`GUID`	Application that facilitated the role assignment	`c44b4083-3bb0-49c1-b47d-974e53cbdf3c`	`c44b4083-3bb0-49c1-b47d-974e53cbdf3c` — Azure AD PowerShell `00000002-0000-0000-c000-000000000000` — Azure AD Graph API `00000003-0000-0000-c000-000000000000` — Microsoft Graph
DeviceProperties Source: Array with browser, compliance, and management status	Array	Required	—	Properties of the device used for the role assignment	—	—
DeviceProperties[].Name	String	Required	—	Property name (BrowserType, IsCompliant, IsManaged)	`IsCompliant`	—
DeviceProperties[].Value Source: Context-specific values for device properties	String	Required	—	Property value	`True`	—
ExtendedProperties Source: Array with additional context	Array	Required	—	Additional properties including user type and user agent	—	—
ModifiedProperties Source: Array showing role assignment details	Array	Required	—	Role details including role name and template ID	—	—
ModifiedProperties[].Name	String	Required	—	Property name (Role.WellKnownObjectName, Role.DisplayName, Role.TemplateId, Role.ObjectID)	`Role.DisplayName`	—
ModifiedProperties[].NewValue Source: Azure AD role name or GUID	String	Required	—	Role being assigned	`Global Administrator`	`Global Administrator` — Highest privilege - complete tenant control (TemplateId: 62e90394-69f5-4237-9190-012177145e10) `User Administrator` — Manage users and groups (TemplateId: fe930be7-5e62-47db-91af-98c3a49a38b1) `Privileged Role Administrator` — Manage role assignments (TemplateId: e8611ab8-c189-46e8-94e1-60213ab1f814) `Security Administrator` — Manage security settings (TemplateId: 194ae4cb-b126-40b2-bd5b-6091b380977d) `Helpdesk Administrator` — Reset passwords for non-admins (TemplateId: 729827e3-9c14-49f7-bb1b-9608f156bbb8)
ModifiedProperties[].OldValue Source: Empty string	String	Required	—	Previous value (empty for new role assignments)	—	—
ExternalAccess Source: random_choice(['true', 'false', 'false']) - weighted toward internal	Boolean	Required	—	Indicates if the operation was performed from outside the corporate network	`true`	—
AzureActiveDirectoryEventType Source: Static value 1	Integer	Required	—	Type of Azure AD event	`1`	—
UserAgent Source: Random user agent string	String	Required	—	Browser user agent string	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36`	—

Details

Fields

Low

Frequency

Feedback

No ratings yet