[Entra ID] Privileged Role Assigned to User

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Detects when a user is assigned a privileged role in Microsoft Entra ID. This may indicate unauthorized privilege escalation and should be validated promptly.

Attribute	Value
Type	Analytic Rule
Solution	eDCRule
ID	fad0f8b9-a0a5-430a-9a94-049a1144bf54
Severity	High
Status	Available
Kind	Scheduled
Tactics	Persistence, DefenseEvasion, PrivilegeEscalation, InitialAccess
Techniques	T1078.004
Required Connectors	AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	AADOperationType in "Assign,AssignEligibleRole,CreateRequestGrantedRole,CreateRequestPermanentEligibleRole,CreateRequestPermanentGrantedRole" ActivityDisplayName has_any "Add eligible member to role"	✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to eDCRule