Azure AD Redundant Access Creation
Detection overview
Triggers
- A service principal, application, or user has been provisioned membership into to the ‘Privileged Role Administrator’ Azure AD role.
Possible Root Causes
- An adversary has provisioned access into a sensitive role to create redundant access into the network.
- In some cases, administrators performing deployment testing will grant permissions associated with this role to the app or related service principal.
Business Impact
- Adversaries will create redundant access mechanisms so that they are able to continue to maintain persistence despite their primary access method being discovered and remediated.
- Redundant access allows malicious activities to continue well beyond initial discovery and response phases, increasing risks to enterprise services or data.
Steps to Verify
- Validate that this activity is not associated with authorized administrative testing activities.
Azure AD Redundant Access Creation
Possible root causes
Malicious Detection
Benign Detection
Azure AD Redundant Access Creation
Example scenarios
Azure AD Redundant Access Creation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Redundant Access Creation
Steps to investigate
Azure AD Redundant Access Creation
Related detections
No items found.