Skip to content

AZT402 - Elevated Access Toggle#

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

Resource

Azure Active Directory

Actions

  • Microsoft.Authorization/elevateAccess/action

Detections

Logs#

Data Source Operation Name Action Log Location
Azure Active Directory Assigns the caller to User Access Administrator role Microsoft.Authorization/elevateAccess/action AzureAD Audit Logs

Queries#

| where ActivityDisplayName == "Assigns the caller to User Access Administrator role"

Detection Screenshots#

monitorlogs