[New Rule] Azure RBAC Built-In Administrator Roles Assigned

[terrancedejesus]

Summary

Missing detections for built-in Azure RBAC admin roles being assigned to users. Roles such as Owner, Role Based Access Administrator, User Access Administrator, etc. should be monitored when assigned to users. These roles can be directly assigned through Azure, not Microsoft Entra ID and are often part of privileged roles for PIM. Assignment is monitored via Azure Activity Logs, not Entra ID Audit logs since they are Azure RBAC built-in roles. Thus this activity is separated from behavior such as elevated access in rule ID 8d9c4128-372a-11f0-9d8f-f661ea17fbcd (Microsoft Entra ID Elevated Access to User Access Administrator).

Ref: https://orca.security/resources/research-pod/azure-identity-access-management-iam-active-directory-ad/

Related to: #5106