Detect bulk removal of highly privileged roles from Microsoft Entra that can lead to a loss of control over the cloud environment.
ID: T1531.Entra.HighlyPrivilegedRoleRemoval
Author: Nicola Suter
License: MIT License
References: Link to medium post
Tactic: Impact (TA0040)
Technique: Account Access Removal (T1531)
Attackers can remove highly privileged roles from Microsoft Entra that can lead to a loss of control over the cloud environment. These roles are Global Administrator
and Privileged Role Administrator
. If the customer has not access to an admin account with these roles, the customer will lose control over the cloud environment.
To remove the roles, the attacker needs to have the Global Administrator
or Privileged Role Administrator
role.
Bulk removal of highly privileged roles can be detected by looking at the RoleAssignmentDeleted
event in the Microsoft Entra Activity Logs.
Event ID | Event Name | Log Provider | ATT&CK Data Source |
---|---|---|---|
- | AuditLogs | Entra ID | Cloud Service |
FP Rate: Low
Source: Entra ID
Description: This detection looks at Entra admin role removal events.
Query:
let lookback = 2h;
let AdminRoleInfo = datatable (RoleId: guid, RoleDisplayName: string)[
'62e90394-69f5-4237-9190-012177145e10', 'Global Administrator',
'e8611ab8-c189-46e8-94e1-60213ab1f814', 'Privileged Role Administrator'
];
AuditLogs
| where ingestion_time() > ago(lookback)
| where AADOperationType in~ ('AdminRemovePermanentGrantedRole', 'AdminRemovePermanentEligibleRole')
| mv-apply details = AdditionalDetails on (
where details.key == "RoleDefinitionOriginId"
| extend RoleId = toguid(details.value)
)
| mv-apply details = AdditionalDetails on (
where details.key == "ipaddr"
| extend IPAddress = tostring(details.value)
)
| lookup AdminRoleInfo on RoleId
| mv-expand TargetResources
| where TargetResources.type == 'User'
| extend
UserObjectId = TargetResources.id,
UserPrincipalName = TargetResources.userPrincipalName
| extend Actor = iif(isnotempty(InitiatedBy.user), InitiatedBy.user.id, InitiatedBy.app.appId)
| project
ActivityDateTime,
ActivityDisplayName,
RoleDisplayName,
UserPrincipalName,
UserObjectId,
Actor,
IPAddress
- Only the
Global Administrator
andPrivileged Role Administrator
roles are covered by this detection.
High amounts of role removals can lead to false positives, e.g. due to permission cleanup. During regular operations the amount of role removals should be low.
- The detection does not cover the removal of other roles than
Global Administrator
andPrivileged Role Administrator
. - The detection does not cover permissions of service principals that might have similar permisions as the
Global Administrator
andPrivileged Role Administrator
roles.