Azure AD Admin Account Creation
Detection overview
Triggers
- An account has been created with administrative privileges (TenantAdmins, PrivilegedRoleAdmins, ApplicationAdministrators) that provide broad access to the environment.
Possible Root Causes
- An attacker that has gained administrative rights has added additional administrative accounts to the environment as a back-up access method if their existing access is disabled or otherwise removed at a future date.
- Existing legitimate administrators may add additional administrative users unintentionally or via social engineering.
- A new, legitimate, administrative account was added.
Business Impact
- Unauthorized administrative users have complete control within the environment, creating significant on-going risk to a broad range of resources.
- Attackers with access to the identified administrative rights will be able to operate unfettered within the environment.
- Attackers using multiple administrative accounts improve their resilience to an incident response and are able to silo operations to prevent the detection of a single compromised admin account from affecting access and actions undertaken from other compromised admin accounts.
Steps to Verify
- Validate the administrative account was created according to organizational change control policies and that the access granted is appropriate and necessary
Azure AD Admin Account Creation
Possible root causes
Malicious Detection
Benign Detection
Azure AD Admin Account Creation
Example scenarios
Azure AD Admin Account Creation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Admin Account Creation
Steps to investigate
Azure AD Admin Account Creation
MITRE ATT&CK techniques covered
Azure AD Admin Account Creation
Related detections
No items found.