AZT402 - Elevated Access Toggle

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

Resource

Azure Active Directory

Actions

• Microsoft.Authorization/elevateAccess/action

Examples

Azure CLIAzure REST APIAzure Portal

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

POST https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Azure Active Directory	Assigns the caller to User Access Administrator role	Microsoft.Authorization/elevateAccess/action	AuditLogs

Detection Screenshots

Queries

Platform	Query
Log Analytics	AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role'

Azure Monitor Alert

Additional Resources

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin