Query Details

User Elevated To User Access Administrator

Query

arg("").authorizationresources
| where properties.roleDefinitionId == "/providers/Microsoft.Authorization/RoleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"

About this query

User elevated to User Access Administrator

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1098.003Additional Cloud Roleshttps://attack.mitre.org/techniques/T1098/003/

Description

This hunting query detects the elevation to User Access Administrator. This built-in role allows the user to assign themselves or others the Owner role to all subscriptions within a tenant.

References

Microsoft Sentinel

Explanation

This query is used to detect when a user is elevated to the User Access Administrator role. This role allows the user to assign themselves or others the Owner role to all subscriptions within a tenant. The query checks for the roleDefinitionId "/providers/Microsoft.Authorization/RoleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" in the authorizationresources.

Details

Gianni Castaldi profile picture

Gianni Castaldi

Released: September 11, 2023

Tables

authorizationresources

Keywords

UserUser Access AdministratorMicrosoft Sentinel

Operators

argauthorizationresources|whereproperties.roleDefinitionId=="/providers/Microsoft.Authorization/RoleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"

MITRE Techniques

Actions

GitHub