[Entra ID] Application Assigned Administrator Permissions Immediately After Obtaining Role Management Permissions

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Detects an application receiving administrator permissions and then using them to assign a role. This pattern can indicate rapid privilege escalation through app consent abuse.

Attribute	Value
Type	Analytic Rule
Solution	eDCRule
ID	90bacdf4-e35b-47cb-92d1-29d8397eb4a0
Severity	High
Status	Available
Kind	Scheduled
Tactics	Persistence, PrivilegeEscalation, DefenseEvasion, InitialAccess
Techniques	T1078.004, T1098.003
Required Connectors	AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	AADOperationType == "Assign" LoggedByService == "Core Directory" OperationName == "Add app role assignment to service principal"	✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to eDCRule