Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

User Added to Tier0 Role (PIM) [RULE-1140]

This rule detects when a user is added to a Tier0 role with very high privileges through Privileged Identity Management (PIM). Tier0 roles include roles such as Global Administrator, Privileged Role Administrator, and Privileged Authentication Administrator, which grant near-complete control over the Microsoft 365 environment.

Rationale

Tier0 roles represent the highest level of privilege within a Microsoft Entra ID environment. These roles have the ability to manage all aspects of the tenant, including modifying security configurations, managing other administrators, and accessing all data. Because of their power, Tier0 role assignments are a high-value target for attackers.

An attacker who has compromised an account with sufficient privileges may elevate another account -- or their own -- to a Tier0 role to establish persistent control over the environment. This technique maps to MITRE ATT&CK T1098 (Account Manipulation) and T1078.004 (Valid Accounts: Cloud Accounts). Even when performed through PIM, which provides time-limited role activations, a new eligible assignment to a Tier0 role warrants immediate investigation.

Unauthorized Tier0 role assignments can give an attacker the ability to disable security controls, exfiltrate data, create backdoor accounts, and effectively take full ownership of the tenant. Early detection of these changes is essential to preventing a full-scale compromise.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the Tier0 role assignment was intentionally performed by an authorized administrator. Confirm with the IT security team or the administrator listed in the alert whether this change was planned and approved.

    • If no: The role assignment was not authorized and may indicate a compromised account:

      1. Immediately remove the user from the Tier0 role via the Entra admin center under Identity > Roles & admins.
      2. Block sign-in for both the user who was assigned the role and the administrator account that performed the assignment, and revoke all active sessions.
      3. Investigate authentication methods and recent activity for both accounts to determine the scope of compromise.
      4. Contact the Attic IR team for a thorough investigation. An IR Credit Pack is required for this service.

    • If yes: The role assignment was intentionally performed:

      1. Verify that the assignment follows internal policies for Tier0 role management. Ensure that PIM is configured with appropriate time limits and approval workflows.
      2. If the assignment is in accordance with policy: close the incident.

More information