Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

User Becomes Admin (PIM) [RULE-1142]

This rule detects when a user is granted high administrative privileges for the first time through Privileged Identity Management (PIM). This includes assignments to roles such as Exchange Administrator, SharePoint Administrator, Security Administrator, and other elevated roles that grant significant control over parts of the Microsoft 365 environment.

Rationale

When a user receives administrative privileges for the first time, this represents a significant change in that user's access level. While this is often a legitimate action -- for example, when a new IT staff member is onboarded or responsibilities are reassigned -- it can also be an indicator of account compromise or insider threat activity.

An attacker who has gained access to an account with Privileged Role Administrator or Global Administrator permissions may promote additional accounts to administrative roles to establish multiple footholds within the environment. By elevating previously non-privileged accounts, the attacker creates redundant access paths that survive the remediation of any single compromised account. This technique is categorized under MITRE ATT&CK T1098 (Account Manipulation) and T1078 (Valid Accounts).

First-time administrative role assignments are particularly noteworthy because they indicate a departure from a user's established access pattern. Detecting these transitions enables organizations to validate that privilege escalation is deliberate and sanctioned, rather than the result of unauthorized activity.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the administrative role assignment was intentionally performed by an authorized administrator. Confirm with the IT security team whether the user was expected to receive elevated privileges.

    • If no: The role assignment was not authorized and may indicate a compromised account:

      1. Immediately remove the user from the administrative role via the Entra admin center under Identity > Roles & admins.
      2. Block sign-in for both the newly elevated user and the administrator account that performed the assignment, and revoke all active sessions.
      3. Review audit logs and authentication methods for both accounts to determine whether they have been compromised.
      4. Contact the Attic IR team for further investigation to determine the full scope of the incident. An IR Credit Pack is required for this service.

    • If yes: The role assignment was intentionally performed:

      1. Verify that the assigned role follows the principle of least privilege. Ensure the user has not been granted broader permissions than required for their responsibilities.
      2. If the assignment is appropriate and in accordance with policy: close the incident.

More information