Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

User Added to Tier0 Role (non-PIM) [RULE-1141]

This rule detects when a user is permanently added to a Tier0 role with very high privileges outside of Privileged Identity Management (PIM). Tier0 roles include roles such as Global Administrator, Privileged Role Administrator, and Privileged Authentication Administrator, which grant near-complete control over the Microsoft 365 environment. Unlike PIM-based assignments, non-PIM role assignments are permanent and do not expire.

Rationale

Tier0 roles provide near-total control over your infrastructure. Permanent (non-PIM) assignments create a massive attack surface because these privileges never expire and are always active. It is a standard adversary tactic (MITRE T1098 & T1078.004) to use compromised role-management capabilities to assign these permanent rights. This allows them to establish an immediate, persistent backdoor that entirely bypasses your security workflows. If an unauthorized user successfully secures a permanent Tier0 role, your environment is effectively "owned." This is a critical, high-priority alert requiring immediate investigation.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the Tier0 role assignment was intentionally performed by an authorized administrator. Confirm with the IT security team or the administrator listed in the alert whether this change was planned and approved.

    • If no: The role assignment was not authorized and may indicate a compromised account:

      1. Immediately remove the user from the Tier0 role via the Entra admin center under Identity > Roles & admins.
      2. Block sign-in for both the user who was assigned the role and the administrator account that performed the assignment, and revoke all active sessions.
      3. Investigate authentication methods and recent activity for both accounts to determine the scope of compromise.
      4. Contact the Attic IR team for a thorough investigation. An IR Credit Pack is required for this service.

    • If yes: The role assignment was intentionally performed:

      1. Evaluate whether the assignment should be converted to a PIM eligible assignment instead of a permanent role. Permanent Tier0 access should be limited to break-glass accounts only.
      2. If the permanent assignment is justified and in accordance with policy: close the incident.

More information