Suspicious Microsoft Entra activity indicating role assignment
Description
AlphaSOC detected a role assignment in Microsoft Entra ID via the
Add member to role action. While role changes occur during legitimate
onboarding and access reviews, threat actors who compromise Entra environments
may assign administrative or privileged roles to maintain persistence and expand
their access.
Impact
Unauthorized role assignments can provide adversaries with elevated access to the organization's identity infrastructure. Depending on the role granted, attackers may gain the ability to manage user accounts, modify authentication policies, access sensitive applications, or perform other administrative actions. Privileged roles can enable lateral movement and facilitate further compromise of connected systems.
Severity
| Severity | Condition |
|---|---|
Informational | Role assignment with one unexpected property |
Low | Role assignment with two unexpected properties |
Medium | Role assignment with three unexpected properties |
Investigation and Remediation
Review the Entra audit logs to identify the user who performed the role assignment, the target user who received the role, and the specific role granted. Verify whether the change was authorized through your organization's access management process. If unauthorized, remove the role assignment immediately, disable access for any compromised accounts, and reset credentials. Review recent activity for both the assigning and target accounts to identify additional indicators of compromise.