Azure AD Admin Account Creation

View all detections
Azure AD Admin Account Creation

Triggers

  • An account has been created with administrative privileges (TenantAdmins, PrivilegedRoleAdmins, ApplicationAdministrators) that provide broad access to the environment.
  • The threat score is statically assigned.
  • The certainty score is statically assigned.

Possible Root Causes

  • An attacker that has gained administrative rights has added additional administrative accounts to the environment as a back-up access method if their existing access is disabled or otherwise removed at a future date.
  • Existing legitimate administrators may add additional administrative users unintentionally or via social engineering.
  • A new, legitimate, administrative account was added.

Business Impact

  • Unauthorized administrative users have complete control within the environment, creating significant on-going risk to a broad range of resources.
  • Attackers with access to the identified administrative rights will be able to operate unfettered within the environment.
  • Attackers using multiple administrative accounts improve their resilience to an incident response and are able to silo operations to prevent the detection of a single compromised admin account from affecting access and actions undertaken from other compromised admin accounts.

Steps to Verify

  • Validate the administrative account was created according to organizational change control policies and that the access granted is appropriate and necessary