Entra ID Privilege Escalation to User Access Administrator
A user has elevated their access to User Access Administrator for their Azure Resources, potentially leading to privilege escalation and unauthorized access; this activity is flagged only if the user hasn't performed it in the last 14 days.
This threat brief addresses the elevation of user privileges to "User Access Administrator" within Azure/Entra ID environments. The User Access Administrator role grants extensive control over user access to Azure resources, enabling role assignments and permission management. While legitimate use cases exist, adversaries may exploit this role to gain unauthorized access to sensitive data and escalate privileges further. The detection rule focuses on identifying anomalous behavior by flagging instances where a user elevates their access to User Access Administrator for the first time in 14 days. This helps filter out routine administrative tasks and highlights potentially malicious activity. The activity is tracked via Azure Audit Logs and is related to Microsoft.Authorization/elevateAccess/action API calls. The Storm-0501 group has been observed using similar techniques as of August 2025 to achieve cloud-based ransomware deployment.
Attack Chain
- Initial access to an Entra ID account with sufficient privileges (e.g., Global Administrator).
- The attacker authenticates to the Azure portal or uses Azure CLI with compromised credentials.
- The attacker executes a request to elevate their account's privileges to "User Access Administrator." This often involves calling the
Microsoft.Authorization/elevateAccess/actionAPI. - Azure Audit Logs record the successful elevation of privileges.
- The attacker leverages the User Access Administrator role to assign themselves additional, more granular roles (e.g., Contributor, Owner) on specific Azure resources.
- The attacker uses these newly acquired roles to access sensitive data, modify configurations, or deploy malicious code within the Azure environment.
- The attacker might attempt to disable security controls or create persistent backdoors for future access.
- The attacker achieves their final objective, such as data exfiltration, resource disruption, or ransomware deployment.
Impact
Successful exploitation can grant an attacker full control over access management within the Azure environment. This may lead to widespread data breaches, service disruption, and financial losses. The "User Access Administrator" role enables attackers to assign roles and permissions, granting them access to sensitive resources. This activity can lead to lateral movement, persistence, or privilege escalation. As seen with groups like Storm-0501, cloud environments are increasingly targeted for ransomware attacks, and this type of privilege escalation is often a critical step.
Recommendation
- Deploy the Sigma rule
Entra ID User Access Administrator Elevationto detect the initial privilege escalation activity (Azure Audit Logs). - Review and tune the Sigma rule,
Entra ID Elevated Access to User Access Administratorfor your environment, considering legitimate administrative activities (Azure Audit Logs). - Implement multi-factor authentication (MFA) for all user accounts, especially those with privileged roles.
- Monitor Azure Audit Logs for unusual activity related to role assignments and permission changes.
- Review conditional access and PIM (Privileged Identity Management) configurations to limit elevation without approval.
- Add alerts for repeated or unusual use of
Microsoft.Authorization/elevateAccess/actionas recommended in the original report.
Detection coverage 2
Entra ID User Access Administrator Elevation
highDetects when a user elevates their access to User Access Administrator role, potentially indicating privilege escalation.
Entra ID Elevated Access to User Access Administrator
highAlerts when elevateAccess action is detected in Entra ID audit logs, which indicates a user has elevated their access to User Access Administrator.
Detection queries are available on the platform. Get full rules →