AZT402 - Elevated Access Toggle#
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
Resource
Azure Active Directory
Actions
- Microsoft.Authorization/elevateAccess/action
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Provider |
---|---|---|---|
Azure Active Directory | Assigns the caller to User Access Administrator role | Microsoft.Authorization/elevateAccess/action | AuditLogs |
Detection Screenshots#
Queries#
Platform | Query |
---|---|
Log Analytics | AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role' |