AZT502.1 - Account Creation: User Account Creation

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

• microsoft.directory/users/create

Examples

Az PowerShellAzure CLIMicrosoft Graph APIAzure Portal

New-AzADUser

az ad user create

POST https://graph.microsoft.com/v1.0/users

Detections

Logs

Data Source	Operation Name	Action	Log Location
Azure Active Directory	Add user	microsoft.directory/users/create	AzureAD Audit Logs

Queries

Log Analytics

AuditLogs| where ActivityDisplayName == "Add user"

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal