Skip to content

AZT502.1 - Account Creation: User Account Creation#

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

  • microsoft.directory/users/create

Examples

Detections

Logs#

Data Source Operation Name Action Log Location
Azure Active Directory Add user microsoft.directory/users/create AzureAD Audit Logs

Queries#

AuditLogs| where ActivityDisplayName == "Add user"