Triggers
- A service principal, application, or user has been provisioned membership into to the ‘Privileged Role Administrator’ Azure AD role.
Possible Root Causes
- An adversary has provisioned access into a sensitive role to create redundant access into the network.
- In some cases, administrators performing deployment testing will grant permissions associated with this role to the app or related service principal.
Business Impact
- Adversaries will create redundant access mechanisms so that they are able to continue to maintain persistence despite their primary access method being discovered and remediated.
- Redundant access allows malicious activities to continue well beyond initial discovery and response phases, increasing risks to enterprise services or data.
Steps to Verify
- Validate that this activity is not associated with authorized administrative testing activities.