Azure AD User Added to Global or Device Admin Role

Attackers often target identity and access management systems like Azure Active Directory (Azure AD) to gain control over an organization’s resources. By adding users to highly privileged roles such as Global Administrator or Device Administrator, adversaries can achieve persistence, allowing them to regain access even after initial compromises are remediated. This activity often occurs after an initial foothold has been established, enabling privilege escalation and stealthy movement within the cloud environment. Monitoring role assignments in Azure AD is crucial for detecting and preventing unauthorized access and maintaining the integrity of the organization’s cloud infrastructure.

Attack Chain

1. An attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.
2. The attacker authenticates to the Azure portal or uses PowerShell with compromised credentials.
3. The attacker enumerates existing Azure AD roles and identifies potential targets like Global Administrator or Device Administrator.
4. The attacker uses the Add-AzureADGroupMember or similar cmdlets to add a compromised or newly created user account to the target role.
5. The Azure AD audit logs record the “Add member to role” operation with the specific role GUIDs (e.g., ‘7698a772-787b-4ac8-901f-60d6b08affd2’ or ‘62e90394-69f5-4237-9190-012177145e10’).
6. The newly added user account inherits the privileges associated with the Global Administrator or Device Administrator role.
7. The attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.
8. The attacker establishes persistent access by creating new administrative accounts or modifying existing ones to maintain control.

Impact

Successful addition of a user to a Global Administrator or Device Administrator role grants the attacker unrestricted access to the Azure AD tenant, potentially impacting all resources connected to it. This can lead to data breaches, service disruptions, financial losses, and reputational damage. The scope of the impact depends on the extent to which the attacker leverages the compromised privileges.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect suspicious additions of users to Global or Device Admin roles in Azure AD Audit Logs.
• Investigate any alerts generated by the Sigma rule, focusing on the context of the user account being added and the source of the role assignment operation.
• Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft (T1078.004).
• Regularly review Azure AD role assignments to identify and remove any unauthorized or unnecessary privileges.
• Monitor for other suspicious Azure AD activity, such as unusual sign-in patterns, application registrations, and resource deployments.