Azure AD Redundant Access Creation

View all detections
Azure AD Redundant Access Creation

Triggers

  • A service principal, application, or user has been provisioned membership into to the ‘Privileged Role Administrator’ Azure AD role.

Possible Root Causes

  • An adversary has provisioned access into a sensitive role to create redundant access into the network.
  • In some cases, administrators performing deployment testing will grant permissions associated with this role to the app or related service principal.

Business Impact

  • Adversaries will create redundant access mechanisms so that they are able to continue to maintain persistence despite their primary access method being discovered and remediated.
  • Redundant access allows malicious activities to continue well beyond initial discovery and response phases, increasing risks to enterprise services or data.

Steps to Verify

  • Validate that this activity is not associated with authorized administrative testing activities.