Elevated Access management for Azure resources by Global Admin
Elevated G Afor Azure Management
Query
CloudAppEvents
| where ApplicationId == '12260'and Application == 'Microsoft Azure'
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleDefinitionId == "b21f0835cd464e508cf8e297ff563cb1"
| where RawEventData.operationName == "Microsoft.Authorization/elevateAccess/action"
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentScope == "/"
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentId == "b507cd211c194747a82e1c2e8584c6da"
| extend ClientIPAddress = parse_json(tostring(RawEventData.httpRequest)).clientIpAddress
| extend RoleAssignmentScope = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentScope
| extend RoleAssignmentId = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentIdExplanation
This query is designed to monitor and detect when a Global Administrator in Azure Active Directory (Azure AD) elevates their access to manage Azure resources. Here's a simplified breakdown of what the query does:
-
Purpose: The query checks for instances where a Global Administrator in Azure AD assigns themselves elevated access to all Azure subscriptions and management groups within their directory. This is a potential security concern because Azure AD and Azure resources are typically secured independently.
-
Severity: The severity level of this query is marked as "Medium," indicating a moderate level of concern if such activity is detected.
-
Frequency: The query runs every 4 hours to check for any new instances of elevated access.
-
Detection Logic:
- It looks for events in the
CloudAppEventstable where the application is 'Microsoft Azure' and the specific operation is "Microsoft.Authorization/elevateAccess/action." - It checks if the role definition and assignment IDs match specific values that indicate elevated access.
- It extracts the client IP address and role assignment details for further analysis.
- It looks for events in the
-
Tactics and Techniques: The query is associated with the "Privilege Escalation" tactic and maps to techniques T1078 (Valid Accounts) and T1110 (Brute Force).
-
Entity Mappings: The query maps detected events to account and IP entities, allowing for further investigation of the user and IP address involved.
In summary, this query helps identify when a Global Administrator in Azure AD elevates their access to manage Azure resources, which could indicate a potential security risk or misuse of privileges.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 4h
Period: 4h