Azure Subscription Admin Role Unassigned
Detection overview
Triggers
- Removal of a highly permissive role assigned to an entity at the Subscription scope level.
Possible Root Causes
- Malicious Activity: An attacker is attempting to isolate access to a Subscription by removing a legitimate administrator, impairing defenses and disrupting logging visibility.
- Administrative Change: A legitimate administrator is performing authorized changes to permissions.
Business Impact
- An attacker who hinders defenses compromises the victim�s ability to respond effectively.
- Evading detection by disrupting logging and security monitoring mechanisms.
Steps to Verify
- Investigate the Principal: Review the identity that performed the role removal for other signs of malicious activity.
- Check Security Policies: Determine whether the removal of the privileged role was sanctioned according to organizational security policies.
- If Malicious Actions or High-Risk Modifications Are Suspected:
- Disable credentials associated with this alert to prevent further unauthorized access.
- Regrant privileges within the Subscription as necessary to restore visibility and administrative control.
- Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Subscription Admin Role Unassigned
Possible root causes
Malicious Detection
Benign Detection
Azure Subscription Admin Role Unassigned
Example scenarios
Azure Subscription Admin Role Unassigned
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Subscription Admin Role Unassigned
Steps to investigate
Azure Subscription Admin Role Unassigned
Related detections
No items found.