Microsoft Entra scoped role assigned over administrative unit
Description
AlphaSOC detected a scoped role assignment over an administrative unit (AU) in
Microsoft Entra ID via Add scoped member to role or
Add member to role scoped over Restricted Management Administrative Unit audit
actions. Scoped roles grant administrative capabilities over only the members of
a specific AU rather than the entire tenant. In environments that do not use
AUs, any scoped role assignment is unexpected; even where AUs are deployed,
unapproved scoped assignments may indicate an attacker establishing elevated
access.
Impact
An unauthorized scoped role assignment can give an attacker administrative control over a subset of users or resources within the AU, such as the ability to reset passwords, manage group membership, or modify user attributes. Combined with a restricted AU, this enables an attacker to maintain persistence while limiting the visibility of their actions.
Severity
| Severity | Condition |
|---|---|
Low | Scoped role assigned over administrative unit |
Investigation and Remediation
Review Entra audit logs for Add scoped member to role and
Add member to role scoped over Restricted Management Administrative Unit
events. Identify the acting user, the role assigned, the target account or
object, and the administrative unit in scope. Verify whether the assignment was
authorized through your organization's access management process. If
unauthorized, remove the scoped role assignment, investigate the acting account
for compromise, and review other role or membership changes performed during the
same session.