AZT402 - Elevated Access Toggle

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

Resource

Azure Active Directory

Actions

• Microsoft.Authorization/elevateAccess/action

Examples

Azure CLIAzure REST APIAzure Portal

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

POST https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01

Detections

Logs

Data Source	Operation Name	Action	Log Location
Azure Active Directory	Assigns the caller to User Access Administrator role	Microsoft.Authorization/elevateAccess/action	AzureAD Audit Logs

Queries

Log Analytics

| where ActivityDisplayName == "Assigns the caller to User Access Administrator role"

Detection Screenshots

Additional Resources

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin