Skip to content

AZT401 - Privileged Identity Management Role#

An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).

Resource

  • Azure Active Directory
  • Azure Resources

Actions

  • RoleManagement.ReadWrite.Directory
  • RoleManagement.Read.Directory

Examples

Open-AzureADMSPrivilegedRoleAssignmentRequest

GET https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilitySchedules/313af44a-07c9-43a7-9970-5072a6b5591f

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{roleEligibilityScheduleRequestName}?api-version=2020-10-01

pimactivate

Detections

Logs#

Data Source Operation Name Action Log Provider
Azure Active Directory Add member to role requested (PIM activation) RoleManagement.ReadWrite.Directory PIM Audit Logs
Azure Active Directory Add member to role completed (PIM activation) RoleManagement.ReadWrite.Directory PIM Audit Logs
Azure Active Directory Add eligible member to role in PIM completed (permanent) RoleManagement.ReadWrite.Directory PIM Audit Logs
Azure Active Directory Add eligible member to role in PIM requested (permanent) RoleManagement.ReadWrite.Directory PIM Audit Logs

Detection Screenshots#

directorylogs

Additional Resources