Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Guest Made Eligible for PIM Admin Role [RULE-1152]

This rule detects when a guest (external) user is made eligible for a PIM administrative role within your Microsoft Entra ID environment. This means an account from outside your organization has been granted the ability to activate high-privilege administrative roles through Privileged Identity Management.

Rationale

Guest accounts in Microsoft Entra ID represent users from external organizations or personal accounts that have been invited into your tenant. While guest access is a legitimate collaboration feature, granting a guest user eligibility for a PIM administrative role is an extremely high-risk action that should rarely, if ever, occur in a production environment.

Attackers who compromise a privileged account frequently attempt to create persistence mechanisms that are difficult to detect. Making an external guest account eligible for a PIM admin role is a particularly stealthy technique because guest accounts may not be subject to the same monitoring and access reviews as internal accounts. The external account resides in a different tenant, giving the attacker a foothold that cannot be remediated by resetting passwords or revoking credentials within the compromised tenant alone. This technique maps to MITRE ATT&CK T1098.001 (Account Manipulation: Additional Cloud Credentials) and T1078.004 (Valid Accounts: Cloud Accounts).

The combination of external identity and PIM eligibility is highly suspicious. Even in scenarios where external consultants require administrative access, best practice is to provision a dedicated internal account rather than granting admin privileges to a guest identity. Any guest PIM eligibility should be treated as a high-severity alert requiring immediate investigation.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the PIM eligibility assignment for the guest user was intentionally performed by an authorized administrator. Confirm with the IT security team whether a deliberate decision was made to grant an external user administrative access.

    • If no: The PIM eligibility assignment was not authorized and may indicate a compromised account or malicious activity:

      1. Immediately remove the guest user's PIM eligibility via the Entra admin center under Identity > Roles & admins > select the role > Eligible assignments.
      2. Remove or block the guest account from the tenant entirely if it is not required for other purposes.
      3. Investigate the administrator account that performed the assignment: block sign-in, revoke sessions, and review recent activity and authentication methods for indicators of compromise.
      4. Contact the Attic IR team for a thorough investigation to determine the full scope of the incident. An IR Credit Pack is required for this service.

    • If yes: The PIM eligibility assignment was intentionally performed:

      1. Evaluate whether the external user truly requires PIM eligibility, or whether a dedicated internal account would be more appropriate. Guest accounts with admin roles represent an elevated risk that should be avoided where possible.
      2. If the guest PIM eligibility is justified and approved by security leadership: close the incident and ensure regular access reviews are configured for this assignment.

More information