Microsoft Entra user added to restricted management administrative unit
Description
AlphaSOC detected a user being added to a restricted management administrative
unit (AU) in Microsoft Entra ID via the
Add member to restricted management administrative unit audit action.
Restricted management AUs prevent non-privileged administrators from modifying
members, including resetting passwords or disabling accounts. Attackers with
sufficient privileges may place a compromised user account inside a restricted
AU to shield it from incident response containment actions.
Impact
An attacker-controlled account added to a restricted AU may become resistant to standard remediation steps. Responders without sufficient roles will be unable to disable the account, reset its credentials, or remove it from groups, allowing the attacker to maintain access during an active incident response effort.
Severity
| Severity | Condition |
|---|---|
Low | User added to a restricted management administrative unit |
Investigation and Remediation
Review Entra audit logs for the
Add member to restricted management administrative unit event. Identify the
acting user, the target account, and the administrative unit involved. Determine
whether the change was authorized and aligns with documented access management
processes. If unauthorized, remove the user from the restricted AU, then
investigate both accounts for additional malicious activity.