AZT401 - Privileged Identity Management Role#
An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).
Resource
- Azure Active Directory
- Azure Resources
Actions
- RoleManagement.ReadWrite.Directory
- RoleManagement.Read.Directory
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Azure Active Directory | Add member to role requested (PIM activation) | RoleManagement.ReadWrite.Directory | PIM Audit Logs |
Azure Active Directory | Add member to role completed (PIM activation) | RoleManagement.ReadWrite.Directory | PIM Audit Logs |
Azure Active Directory | Add eligible member to role in PIM completed (permanent) | RoleManagement.ReadWrite.Directory | PIM Audit Logs |
Azure Active Directory | Add eligible member to role in PIM requested (permanent) | RoleManagement.ReadWrite.Directory | PIM Audit Logs |
Detection Screenshots#
Additional Resources
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-apis