AZT402 - Elevated Access Toggle#
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
Resource
Azure Active Directory
Actions
- Microsoft.Authorization/elevateAccess/action
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Azure Active Directory | Assigns the caller to User Access Administrator role | Microsoft.Authorization/elevateAccess/action | AzureAD Audit Logs |
Queries#
| where ActivityDisplayName == "Assigns the caller to User Access Administrator role"