Removal of a highly permissive role assigned to an entity at the Subscription scope level.
Possible Root Causes
Malicious Activity: An attacker is attempting to isolate access to a Subscription by removing a legitimate administrator, impairing defenses and disrupting logging visibility.
Administrative Change: A legitimate administrator is performing authorized changes to permissions.
Business Impact
An attacker who hinders defenses compromises the victim�s ability to respond effectively.
Evading detection by disrupting logging and security monitoring mechanisms.
Steps to Verify
Investigate the Principal: Review the identity that performed the role removal for other signs of malicious activity.
Check Security Policies: Determine whether the removal of the privileged role was sanctioned according to organizational security policies.
If Malicious Actions or High-Risk Modifications Are Suspected:
Disable credentials associated with this alert to prevent further unauthorized access.
Regrant privileges within the Subscription as necessary to restore visibility and administrative control.
Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Subscription Admin Role Unassigned
Possible root causes
Malicious Detection
Benign Detection
Azure Subscription Admin Role Unassigned
Example scenarios
Azure Subscription Admin Role Unassigned
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.