Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

User Becomes Admin (Non-PIM) [RULE-1131]

This rule detects when a user is granted high privileges for the first time through a direct (non-PIM) role assignment in Microsoft Entra ID. This means the role was assigned permanently outside of Privileged Identity Management, giving the user continuous administrative access without time limits or activation requirements.

Rationale

Permanent admin rights significantly increase your attack surface. A common adversary tactic (MITRE T1098.003 - Account Manipulation) is to elevate a compromised, regular user account to permanent administrative status. This acts as a backdoor (persistence mechanism), allowing attackers to embed themselves indefinitely. If left unnoticed, the attacker maintains total control over the environment—essentially "owning" the network—even if their initial entry point is discovered and blocked. Because of this severe risk, any direct role assignment requires immediate verification.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify with the administrator listed in the alert whether they intentionally granted high privileges to the user. Check if there is a documented change request or business justification for the role assignment.

    • If no: The privilege escalation was not authorized and may indicate a compromised administrator account:

      1. Immediately remove the user from the high privilege role via the Entra admin center under Roles and administrators.
      2. Investigate the administrator account that performed the role assignment: review sign-in logs for suspicious activity, check for unfamiliar IP addresses or locations, and revoke active sessions.
      3. Review the Unified Audit Log at security.microsoft.com for additional unauthorized changes made by either the newly elevated account or the administrator who performed the assignment.
      4. If the administrator account appears compromised, reset its credentials and enforce MFA re-registration. Contact Attic for incident response support if the scope of compromise extends beyond the identified accounts.

    • If yes: The role assignment was intentional:

      1. Verify that the assignment aligns with your organization's security policies. Recommend migrating the assignment to Privileged Identity Management (PIM) for time-limited, auditable access instead of a permanent direct assignment.
      2. If the assignment is acceptable and documented: close the incident. Ensure the new administrator has appropriate MFA configured and is trained on their responsibilities.

More information