Microsoft Entra ID Role Management Permission Grant

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. An adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions Ref :

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Entra ID
ID	`1ff56009-db01-4615-8211-d4fda21da02d`
Severity	High
Status	Available
Kind	Scheduled
Tactics	Persistence, Impact
Techniques	T1098.003, T1078.004
Required Connectors	AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`AuditLogs`	`OperationName in "Add app role assignment to service principal,Add delegated permission grant"`	✓	✗	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Entra ID