Skip to content
Threat Feed
high advisory

Azure AD Privileged Authentication Administrator Role Assignment Detected

An adversary assigning the 'Privileged Authentication Administrator' role to an account in Azure AD could abuse the new privileges to reset authentication methods for privileged accounts, leading to account takeover and privilege escalation.

The 'Privileged Authentication Administrator' role within Azure Active Directory (Azure AD) grants significant control over user authentication methods. This role allows an assigned user to modify or reset authentication factors (e.g., MFA, passwords) for other users within the tenant, including highly privileged roles like Global Administrators. An adversary gaining this role could exploit it to compromise other accounts by resetting their credentials, bypassing multi-factor authentication, and assuming their identity to perform malicious actions. This poses a severe risk to the confidentiality, integrity, and availability of resources within the Azure AD environment. The activity is detected via Azure AD audit logs.

Attack Chain

  1. An adversary gains initial access to a low-privileged account within the Azure AD tenant.
  2. The adversary attempts to elevate their privileges by assigning themselves the 'Privileged Authentication Administrator' role. This action is logged as an "Add member to role" event in Azure AD audit logs.
  3. The adversary leverages their new privileges to reset the authentication methods for a high-value target account (e.g., Global Administrator).
  4. The adversary sets a new password or modifies MFA settings for the target account, effectively locking out the legitimate owner.
  5. The adversary uses the newly acquired credentials to log in as the compromised high-value target account.
  6. The adversary performs actions with the privileges of the compromised account, such as modifying critical configurations or accessing sensitive data.
  7. The adversary disables auditing or other security controls to evade detection.

Impact

Successful exploitation leads to a complete compromise of the Azure AD tenant. An attacker can gain full control over the environment by compromising highly privileged accounts and changing configurations, disabling security features, accessing sensitive data, and potentially disrupting business operations. This can result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

  • Deploy the provided Sigma rule to detect unauthorized assignments of the 'Privileged Authentication Administrator' role (Azure AD audit logs, azure_monitor_aad sourcetype).
  • Review existing assignments of the 'Privileged Authentication Administrator' role and remove any unnecessary or suspicious assignments.
  • Implement multi-factor authentication (MFA) for all users, especially those with privileged roles, and enforce strong password policies.
  • Monitor Azure AD audit logs for suspicious activity related to password resets or authentication method modifications.
  • Investigate and remediate any detected instances of unauthorized role assignments.

Detection coverage 2

Azure AD - Privileged Authentication Administrator Role Assigned

high

Detects the assignment of the Privileged Authentication Administrator role to a user in Azure AD.

sigma tactics: privilege_escalation techniques: T1098.003 sources: authentication, azure

Azure AD - Potential Privileged Authentication Administrator Abuse

medium

Detects password reset activity potentially related to Privileged Authentication Administrator abuse

sigma tactics: credential_access techniques: T1003.002 sources: authentication, azure

Detection queries are available on the platform. Get full rules →