Skip to content

AZT502.1 - Account Creation: User Account Creation#

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

  • microsoft.directory/users/create

Examples

New-AzADUser

az ad user create

POST https://graph.microsoft.com/v1.0/users

newuser

Detections

Logs#

Data Source Operation Name Action Log Provider
Azure Active Directory Add user microsoft.directory/users/create AuditLogs

Queries#

Platform Query
Log Analytics AuditLogs | where OperationName == 'Add user'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal