learn.microsoft.com Open in urlscan Pro
2600:141b:1c00:2489::3544  Public Scan

Submitted URL: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
Effective URL: https://learn.microsoft.com/en-ca/entra/architecture/security-operations-privileged-accounts
Submission: On November 17 via api from DE — Scanned from CA

Form analysis 3 forms found in the DOM

Name: site-header-search-form-mobileGET /en-ca/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-ca/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
        data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input 
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

Name: site-header-search-formGET /en-ca/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-ca/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

javascript:

<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control has-icons-left">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
						control has-icons-left
						width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
      <span aria-hidden="true" class="icon is-small is-left">
        <span class="has-text-primary docon docon-filter-settings"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
</form>

Text Content

Skip to main content

We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies

Accept Reject Manage cookies


MICROSOFT IGNITE

Nov 19–22, 2024

Join us this November to explore AI innovations, level up your skillset, and
expand your network.

Register now
Dismiss alert

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Learn
Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out

Learn
   
 * Discover
      
    * Documentation
      
      In-depth articles on Microsoft developer tools and technologies
   
      
    * Training
      
      Personalized learning paths and courses
   
      
    * Credentials
      
      Globally recognized, industry-endorsed credentials
   
      
    * Q&A
      
      Technical questions and answers moderated by Microsoft
   
      
    * Code Samples
      
      Code sample library for Microsoft developer tools and technologies
   
      
    * Assessments
      
      Interactive, curated guidance and recommendations
   
      
    * Shows
      
      Thousands of hours of original programming from Microsoft experts
   
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Product documentation
      
    * ASP.NET
      
    * Azure
      
    * Dynamics 365
      
    * Microsoft 365
      
    * Microsoft Copilot
      
    * Microsoft Edge
      
    * Microsoft Entra
      
    * Microsoft Graph
      
    * Microsoft Intune
      
    * Microsoft Purview
      
    * Microsoft Teams
      
    * .NET
      
    * Power Apps
      
    * Power BI
      
    * Power Platform
      
    * PowerShell
      
    * SQL
      
    * Sysinternals
      
    * Visual Studio
      
    * Windows
      
    * Windows Server
      
   
   View all products
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Development languages
      
    * C++
      
    * C#
      
    * DAX
      
    * Java
      
    * OData
      
    * OpenAPI
      
    * Power Query M
      
    * VBA
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Topics
      
    * Artificial intelligence
      
    * Compliance
      
    * DevOps
      
    * Platform engineering
      
    * Security
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   

Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out
Microsoft Entra
   
 * Microsoft Entra ID
   
 * External ID
   
 * Global Secure Access
   
 * ID Governance
   
 * Permissions Management
   
 * Microsoft Security documentation
   
 * Troubleshooting
   
 * More
     
   * Microsoft Entra ID
     
   * External ID
     
   * Global Secure Access
     
   * ID Governance
     
   * Permissions Management
     
   * Microsoft Security documentation
     
   * Troubleshooting
     
   

Admin center
Table of contents Exit focus mode

Search
Suggestions will filter as you type
 * Architecture
   * Microsoft Entra architecture
   * Microsoft Entra architecture icons
   * Road to the cloud
   * Parallel identity options
   * Automate identity provisioning to applications
   * Multitenant user management
   * University multilateral federation solutions
   * Microsoft Entra ID guide for independent software developers
   * Authentication protocols
   * Provisioning protocols
   * Recoverability
   * Build for resilience
   * Secure with Microsoft Entra ID
 * Deployment guide
 * Migration best practices
 * Microsoft Entra Operations reference
 * Microsoft Entra Permissions Management Operations reference
 * Security
   * Security baseline
   * Security operations guide
     * Security operations overview
     * Security operations for user accounts
     * Security operations for consumer accounts
     * Security operations for privileged accounts
     * Security operations for PIM
     * Security operations for applications
     * Security operations for devices
     * Security operations for Infrastructure
   * Protect Microsoft 365 from on-premises attacks
   * Secure external collaboration
   * Secure service accounts
 * Secure for AI

Download PDF
    
 1. Learn
    
    
 2. Microsoft Entra
    
    
 3. Architecture
    

    
 1. Learn
    
    
 2. Microsoft Entra
    
    
 3. Architecture
    

Read in English Save
 * Add to Collections
 * Add to Plan

Table of contents Read in English Add to Collections Add to Plan Edit


--------------------------------------------------------------------------------

SHARE VIA

Facebook x.com LinkedIn Email

--------------------------------------------------------------------------------

Print
Table of contents


SECURITY OPERATIONS FOR PRIVILEGED ACCOUNTS IN MICROSOFT ENTRA ID

 * Article
 * 2023-10-23
 * 7 contributors

Feedback


IN THIS ARTICLE

    
 1. Log files to monitor
    
 2. Emergency access accounts
    
 3. Privileged account sign-in
    
 4. Changes by privileged accounts
    
 5. Changes to privileged accounts
    
 6. Assignment and elevation
    
 7. Next steps
    

Show 3 more

The security of business assets depends on the integrity of the privileged
accounts that administer your IT systems. Cyber attackers use credential theft
attacks and other means to target privileged accounts and gain access to
sensitive data.

Traditionally, organizational security has focused on the entry and exit points
of a network as the security perimeter. However, software as a service (SaaS)
applications and personal devices on the internet have made this approach less
effective.

Microsoft Entra ID uses identity and access management (IAM) as the control
plane. In your organization's identity layer, users assigned to privileged
administrative roles are in control. The accounts used for access must be
protected, whether the environment is on-premises, in the cloud, or a hybrid
environment.

You're entirely responsible for all layers of security for your on-premises IT
environment. When you use Azure services, prevention and response are the joint
responsibilities of Microsoft as the cloud service provider and you as the
customer.

 * For more information on the shared responsibility model, see Shared
   responsibility in the cloud.
 * For more information on securing access for privileged users, see Securing
   privileged access for hybrid and cloud deployments in Microsoft Entra ID.
 * For a wide range of videos, how-to guides, and content of key concepts for
   privileged identity, see Privileged Identity Management documentation.


LOG FILES TO MONITOR

The log files you use for investigation and monitoring are:

 * Microsoft Entra audit logs

 * Microsoft 365 Audit logs

 * Azure Key Vault insights

From the Azure portal, you can view the Microsoft Entra audit logs and download
as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The
Azure portal has several ways to integrate Microsoft Entra logs with other tools
that allow for greater automation of monitoring and alerting:

 * Microsoft Sentinel. Enables intelligent security analytics at the enterprise
   level by providing security information and event management (SIEM)
   capabilities.

 * Sigma rules - Sigma is an evolving open standard for writing rules and
   templates that automated management tools can use to parse log files. Where
   Sigma templates exist for our recommended search criteria, we have added a
   link to the Sigma repo. The Sigma templates are not written, tested, and
   managed by Microsoft. Rather, the repo and templates are created and
   collected by the worldwide IT security community.

 * Azure Monitor. Enables automated monitoring and alerting of various
   conditions. Can create or use workbooks to combine data from different
   sources.

 * Azure Event Hubs integrated with a SIEM. Enables Microsoft Entra logs to be
   pushed to other SIEMs such as Splunk, ArcSight, QRadar, and Sumo Logic via
   the Azure Event Hubs integration. For more information, see Stream Microsoft
   Entra logs to an Azure event hub.

 * Microsoft Defender for Cloud Apps. Enables you to discover and manage apps,
   govern across apps and resources, and check your cloud apps' compliance.

 * Microsoft Graph. Enables you to export data and use Microsoft Graph to do
   more analysis. For more information, see Microsoft Graph PowerShell SDK and
   Microsoft Entra ID Protection.

 * Microsoft Entra ID Protection. Generates three key reports you can use to
   help with your investigation:
   
   * Risky users. Contains information about which users are at risk, details
     about detections, history of all risky sign-ins, and risk history.
   
   * Risky sign-ins. Contains information about a sign-in that might indicate
     suspicious circumstances. For more information on investigating information
     from this report, see Investigate risk.
   
   * Risk detections. Contains information about other risks triggered when a
     risk is detected and other pertinent information such as sign-in location
     and any details from Microsoft Defender for Cloud Apps.

 * Securing workload identities with Microsoft Entra ID Protection. Use to
   detect risk on workload identities across sign-in behavior and offline
   indicators of compromise.

Although we discourage the practice, privileged accounts can have standing
administration rights. If you choose to use standing privileges, and the account
is compromised, it can have a strongly negative effect. We recommend you
prioritize monitoring privileged accounts and include the accounts in your
Privileged Identity Management (PIM) configuration. For more information on PIM,
see Start using Privileged Identity Management. Also, we recommend you validate
that admin accounts:

 * Are required.
 * Have the least privilege to execute the require activities.
 * Are protected with multifactor authentication at a minimum.
 * Are run from privileged access workstation (PAW) or secure admin workstation
   (SAW) devices.

The rest of this article describes what we recommend you monitor and alert on.
The article is organized by the type of threat. Where there are specific
prebuilt solutions, we link to them following the table. Otherwise, you can
build alerts by using the tools described above.

This article provides details on setting baselines and auditing sign-in and
usage of privileged accounts. It also discusses tools and resources you can use
to help maintain the integrity of your privileged accounts. The content is
organized into the following subjects:

 * Emergency "break-glass" accounts
 * Privileged account sign-in
 * Privileged account changes
 * Privileged groups
 * Privilege assignment and elevation


EMERGENCY ACCESS ACCOUNTS

It's important that you prevent being accidentally locked out of your Microsoft
Entra tenant.

Microsoft recommends that organizations have two cloud-only emergency access
accounts permanently assigned the Global Administrator role. These accounts are
highly privileged and aren't assigned to specific individuals. The accounts are
limited to emergency or "break glass" scenarios where normal accounts can't be
used or all other administrators are accidentally locked out. These accounts
should be created following the emergency access account recommendations.

Send a high-priority alert every time an emergency access account is used.


DISCOVERY

Because break-glass accounts are only used if there's an emergency, your
monitoring should discover no account activity. Send a high-priority alert every
time an emergency access account is used or changed. Any of the following events
might indicate a bad actor is trying to compromise your environments:

 * Sign-in.
 * Account password change.
 * Account permission or roles changed.
 * Credential or auth method added or changed.

For more information on managing emergency access accounts, see Manage emergency
access admin accounts in Microsoft Entra ID. For detailed information on
creating an alert for an emergency account, see Create an alert rule.


PRIVILEGED ACCOUNT SIGN-IN

Monitor all privileged account sign-in activity by using the Microsoft Entra
sign-in logs as the data source. In addition to sign-in success and failure
information, the logs contain the following details:

 * Interrupts
 * Device
 * Location
 * Risk
 * Application
 * Date and time
 * Is the account disabled
 * Lockout
 * MFA fraud
 * Conditional Access failure


THINGS TO MONITOR

You can monitor privileged account sign-in events in the Microsoft Entra sign-in
logs. Alert on and investigate the following events for privileged accounts.

Expand table

What to monitor Risk level Where Filter/subfilter Notes Sign-in failure, bad
password threshold High Microsoft Entra sign-in log Status = Failure
-and-
error code = 50126 Define a baseline threshold and then monitor and adjust to
suit your organizational behaviors and limit false alerts from being generated.
Microsoft Sentinel template

Sigma rules Failure because of Conditional Access requirement High Microsoft
Entra sign-in log Status = Failure
-and-
error code = 53003
-and-
Failure reason = Blocked by Conditional Access This event can be an indication
an attacker is trying to get into the account.
Microsoft Sentinel template

Sigma rules Privileged accounts that don't follow naming policy Azure
subscription List Azure role assignments using the Azure portal List role
assignments for subscriptions and alert where the sign-in name doesn't match
your organization's format. An example is the use of ADM_ as a prefix. Interrupt
High, medium Microsoft Entra Sign-ins Status = Interrupted
-and-
error code = 50074
-and-
Failure reason = Strong auth required
Status = Interrupted
-and-
Error code = 500121
Failure reason = Authentication failed during strong authentication request This
event can be an indication an attacker has the password for the account but
can't pass the multi-factor authentication challenge.
Microsoft Sentinel template

Sigma rules Privileged accounts that don't follow naming policy High Microsoft
Entra directory List Microsoft Entra role assignments List role assignments for
Microsoft Entra roles and alert where the UPN doesn't match your organization's
format. An example is the use of ADM_ as a prefix. Discover privileged accounts
not registered for multi-factor authentication High Microsoft Graph API Query
for IsMFARegistered eq false for admin accounts. List
credentialUserRegistrationDetails - Microsoft Graph beta Audit and investigate
to determine if the event is intentional or an oversight. Account lockout High
Microsoft Entra sign-in log Status = Failure
-and-
error code = 50053 Define a baseline threshold, and then monitor and adjust to
suit your organizational behaviors and limit false alerts from being generated.
Microsoft Sentinel template

Sigma rules Account disabled or blocked for sign-ins Low Microsoft Entra sign-in
log Status = Failure
-and-
Target = User UPN
-and-
error code = 50057 This event could indicate someone is trying to gain access to
an account after they've left the organization. Although the account is blocked,
it's still important to log and alert on this activity.
Microsoft Sentinel template

Sigma rules MFA fraud alert or block High Microsoft Entra sign-in log/Azure Log
Analytics Sign-ins>Authentication details Result details = MFA denied, fraud
code entered Privileged user has indicated they haven't instigated the
multi-factor authentication prompt, which could indicate an attacker has the
password for the account.
Microsoft Sentinel template

Sigma rules MFA fraud alert or block High Microsoft Entra audit log log/Azure
Log Analytics Activity type = Fraud reported - User is blocked for MFA or fraud
reported - No action taken (based on tenant-level settings for fraud report)
Privileged user has indicated they haven't instigated the multi-factor
authentication prompt, which could indicate an attacker has the password for the
account.
Microsoft Sentinel template

Sigma rules Privileged account sign-ins outside of expected controls Microsoft
Entra sign-in log Status = Failure
UserPricipalName = <Admin account>
Location = <unapproved location>
IP address = <unapproved IP>
Device info = <unapproved Browser, Operating System> Monitor and alert on any
entries that you've defined as unapproved.
Microsoft Sentinel template

Sigma rules Outside of normal sign-in times High Microsoft Entra sign-in log
Status = Success
-and-
Location =
-and-
Time = Outside of working hours Monitor and alert if sign-ins occur outside of
expected times. It's important to find the normal working pattern for each
privileged account and to alert if there are unplanned changes outside of normal
working times. Sign-ins outside of normal working hours could indicate
compromise or possible insider threats.
Microsoft Sentinel template

Sigma rules Microsoft Entra ID Protection risk High ID Protection logs Risk
state = At risk
-and-
Risk level = Low, medium, high
-and-
Activity = Unfamiliar sign-in/TOR, and so on This event indicates there's some
abnormality detected with the sign-in for the account and should be alerted on.
Password change High Microsoft Entra audit logs Activity actor =
Admin/self-service
-and-
Target = User
-and-
Status = Success or failure Alert when any administrator account password
changes. Write a query for privileged accounts.
Microsoft Sentinel template

Sigma rules Change in legacy authentication protocol High Microsoft Entra
sign-in log Client App = Other client, IMAP, POP3, MAPI, SMTP, and so on
-and-
Username = UPN
-and-
Application = Exchange (example) Many attacks use legacy authentication, so if
there's a change in auth protocol for the user, it could be an indication of an
attack.
Microsoft Sentinel template

Sigma rules New device or location High Microsoft Entra sign-in log Device info
= Device ID
-and-
Browser
-and-
OS
-and-
Compliant/Managed
-and-
Target = User
-and-
Location Most admin activity should be from privileged access devices, from a
limited number of locations. For this reason, alert on new devices or locations.
Microsoft Sentinel template

Sigma rules Audit alert setting is changed High Microsoft Entra audit logs
Service = PIM
-and-
Category = Role management
-and-
Activity = Disable PIM alert
-and-
Status = Success Changes to a core alert should be alerted if unexpected.
Microsoft Sentinel template

Sigma rules Administrators authenticating to other Microsoft Entra tenants
Medium Microsoft Entra sign-in log Status = success

Resource tenantID != Home Tenant ID When scoped to Privileged Users, this
monitor detects when an administrator has successfully authenticated to another
Microsoft Entra tenant with an identity in your organization's tenant.

Alert if Resource TenantID isn't equal to Home Tenant ID
Microsoft Sentinel template

Sigma rules Admin User state changed from Guest to Member Medium Microsoft Entra
audit logs Activity: Update user

Category: UserManagement

UserType changed from Guest to Member Monitor and alert on change of user type
from Guest to Member.

Was this change expected?
Microsoft Sentinel template

Sigma rules Guest users invited to tenant by non-approved inviters Medium
Microsoft Entra audit logs Activity: Invite external user

Category: UserManagement

Initiated by (actor): User Principal Name Monitor and alert on non-approved
actors inviting external users.
Microsoft Sentinel template

Sigma rules


CHANGES BY PRIVILEGED ACCOUNTS

Monitor all completed and attempted changes by a privileged account. This data
enables you to establish what's normal activity for each privileged account and
alert on activity that deviates from the expected. The Microsoft Entra audit
logs are used to record this type of event. For more information on Microsoft
Entra audit logs, see Audit logs in Microsoft Entra ID.




MICROSOFT ENTRA DOMAIN SERVICES

Privileged accounts that have been assigned permissions in Microsoft Entra
Domain Services can perform tasks for Microsoft Entra Domain Services that
affect the security posture of your Azure-hosted virtual machines that use
Microsoft Entra Domain Services. Enable security audits on virtual machines and
monitor the logs. For more information on enabling Microsoft Entra Domain
Services audits and for a list of sensitive privileges, see the following
resources:

 * Enable security audits for Microsoft Entra Domain Services
 * Audit Sensitive Privilege Use

Expand table

What to monitor Risk level Where Filter/subfilter Notes Attempted and completed
changes High Microsoft Entra audit logs Date and time
-and-
Service
-and-
Category and name of the activity (what)
-and-
Status = Success or failure
-and-
Target
-and-
Initiator or actor (who) Any unplanned changes should be alerted on immediately.
These logs should be retained to help with any investigation. Any tenant-level
changes should be investigated immediately (link out to Infra doc) that would
lower the security posture of your tenant. An example is excluding accounts from
multifactor authentication or Conditional Access. Alert on any additions or
changes to applications. See Microsoft Entra security operations guide for
Applications. Example
Attempted or completed change to high-value apps or services High Audit log
Service
-and-
Category and name of the activity Date and time, Service, Category and name of
the activity, Status = Success or failure, Target, Initiator or actor (who)
Privileged changes in Microsoft Entra Domain Services High Microsoft Entra
Domain Services Look for event 4673 Enable security audits for Microsoft Entra
Domain Services
For a list of all privileged events, see Audit Sensitive Privilege use.


CHANGES TO PRIVILEGED ACCOUNTS

Investigate changes to privileged accounts' authentication rules and privileges,
especially if the change provides greater privilege or the ability to perform
tasks in your Microsoft Entra environment.

Expand table

What to monitor Risk level Where Filter/subfilter Notes Privileged account
creation Medium Microsoft Entra audit logs Service = Core Directory
-and-
Category = User management
-and-
Activity type = Add user
-correlate with-
Category type = Role management
-and-
Activity type = Add member to role
-and-
Modified properties = Role.DisplayName Monitor creation of any privileged
accounts. Look for correlation that's of a short time span between creation and
deletion of accounts.
Microsoft Sentinel template

Sigma rules Changes to authentication methods High Microsoft Entra audit logs
Service = Authentication Method
-and-
Activity type = User registered security information
-and-
Category = User management This change could be an indication of an attacker
adding an auth method to the account so they can have continued access.
Microsoft Sentinel template

Sigma rules Alert on changes to privileged account permissions High Microsoft
Entra audit logs Category = Role management
-and-
Activity type = Add eligible member (permanent)
-or-
Activity type = Add eligible member (eligible)
-and-
Status = Success or failure
-and-
Modified properties = Role.DisplayName This alert is especially for accounts
being assigned roles that aren't known or are outside of their normal
responsibilities.

Sigma rules Unused privileged accounts Medium Microsoft Entra access reviews
Perform a monthly review for inactive privileged user accounts.
Sigma rules Accounts exempt from Conditional Access High Azure Monitor Logs
-or-
Access Reviews Conditional Access = Insights and reporting Any account exempt
from Conditional Access is most likely bypassing security controls and is more
vulnerable to compromise. Break-glass accounts are exempt. See information on
how to monitor break-glass accounts later in this article. Addition of a
Temporary Access Pass to a privileged account High Microsoft Entra audit logs
Activity: Admin registered security info

Status Reason: Admin registered temporary access pass method for user

Category: UserManagement

Initiated by (actor): User Principal Name

Target: User Principal Name Monitor and alert on a Temporary Access Pass being
created for a privileged user.
Microsoft Sentinel template

Sigma rules

For more information on how to monitor for exceptions to Conditional Access
policies, see Conditional Access insights and reporting.

For more information on discovering unused privileged accounts, see Create an
access review of Microsoft Entra roles in Privileged Identity Management.


ASSIGNMENT AND ELEVATION

Having privileged accounts that are permanently provisioned with elevated
abilities can increase the attack surface and risk to your security boundary.
Instead, employ just-in-time access by using an elevation procedure. This type
of system allows you to assign eligibility for privileged roles. Admins elevate
their privileges to those roles only when they perform tasks that need those
privileges. Using an elevation process enables you to monitor elevations and
non-use of privileged accounts.


ESTABLISH A BASELINE

To monitor for exceptions, you must first create a baseline. Determine the
following information for these elements

 * Admin accounts
   
   * Your privileged account strategy
   * Use of on-premises accounts to administer on-premises resources
   * Use of cloud-based accounts to administer cloud-based resources
   * Approach to separating and monitoring administrative permissions for
     on-premises and cloud-based resources

 * Privileged role protection
   
   * Protection strategy for roles that have administrative privileges
   * Organizational policy for using privileged accounts
   * Strategy and principles for maintaining permanent privilege versus
     providing time-bound and approved access

The following concepts and information help determine policies:

 * Just-in-time admin principles. Use the Microsoft Entra logs to capture
   information for performing administrative tasks that are common in your
   environment. Determine the typical amount of time needed to complete the
   tasks.
 * Just-enough admin principles. Determine the least-privileged role, which
   might be a custom role, that's needed for administrative tasks. For more
   information, see Least privileged roles by task in Microsoft Entra ID.
 * Establish an elevation policy. After you have insight into the type of
   elevated privilege needed and how long is needed for each task, create
   policies that reflect elevated privileged usage for your environment. As an
   example, define a policy to limit role elevation to one hour.

After you establish your baseline and set policy, you can configure monitoring
to detect and alert usage outside of policy.


DISCOVERY

Pay particular attention to and investigate changes in assignment and elevation
of privilege.


THINGS TO MONITOR

You can monitor privileged account changes by using Microsoft Entra audit logs
and Azure Monitor logs. Include the following changes in your monitoring
process.

Expand table

What to monitor Risk level Where Filter/subfilter Notes Added to eligible
privileged role High Microsoft Entra audit logs Service = PIM
-and-
Category = Role management
-and-
Activity type = Add member to role completed (eligible)
-and-
Status = Success or failure
-and-
Modified properties = Role.DisplayName Any account eligible for a role is now
being given privileged access. If the assignment is unexpected or into a role
that isn't the responsibility of the account holder, investigate.
Microsoft Sentinel template

Sigma rules Roles assigned out of PIM High Microsoft Entra audit logs Service =
PIM
-and-
Category = Role management
-and-
Activity type = Add member to role (permanent)
-and-
Status = Success or failure
-and-
Modified properties = Role.DisplayName These roles should be closely monitored
and alerted. Users shouldn't be assigned roles outside of PIM where possible.
Microsoft Sentinel template

Sigma rules Elevations Medium Microsoft Entra audit logs Service = PIM
-and-
Category = Role management
-and-
Activity type = Add member to role completed (PIM activation)
-and-
Status = Success or failure
-and-
Modified properties = Role.DisplayName After a privileged account is elevated,
it can now make changes that could affect the security of your tenant. All
elevations should be logged and, if happening outside of the standard pattern
for that user, should be alerted and investigated if not planned. Approvals and
deny elevation Low Microsoft Entra audit logs Service = Access Review
-and-
Category = UserManagement
-and-
Activity type = Request approved or denied
-and-
Initiated actor = UPN Monitor all elevations because it could give a clear
indication of the timeline for an attack.
Microsoft Sentinel template

Sigma rules Changes to PIM settings High Microsoft Entra audit logs Service =
PIM
-and-
Category = Role management
-and-
Activity type = Update role setting in PIM
-and-
Status reason = MFA on activation disabled (example) One of these actions could
reduce the security of the PIM elevation and make it easier for attackers to
acquire a privileged account.
Microsoft Sentinel template

Sigma rules Elevation not occurring on SAW/PAW High Microsoft Entra sign-in logs
Device ID
-and-
Browser
-and-
OS
-and-
Compliant/Managed
Correlate with:
Service = PIM
-and-
Category = Role management
-and-
Activity type = Add member to role completed (PIM activation)
-and-
Status = Success or failure
-and-
Modified properties = Role.DisplayName If this change is configured, any attempt
to elevate on a non-PAW/SAW device should be investigated immediately because it
could indicate an attacker is trying to use the account.
Sigma rules Elevation to manage all Azure subscriptions High Azure Monitor
Activity Log tab
Directory Activity tab
Operations Name = Assigns the caller to user access admin
-and-
Event category = Administrative
-and-
Status = Succeeded, start, fail
-and-
Event initiated by This change should be investigated immediately if it isn't
planned. This setting could allow an attacker access to Azure subscriptions in
your environment.

For more information about managing elevation, see Elevate access to manage all
Azure subscriptions and management groups. For information on monitoring
elevations by using information available in the Microsoft Entra logs, see Azure
Activity log, which is part of the Azure Monitor documentation.

For information about configuring alerts for Azure roles, see Configure security
alerts for Azure resource roles in Privileged Identity Management.


NEXT STEPS

See these security operations guide articles:

Microsoft Entra security operations overview

Security operations for user accounts

Security operations for consumer accounts

Security operations for Privileged Identity Management

Security operations for applications

Security operations for devices

Security operations for infrastructure





--------------------------------------------------------------------------------


FEEDBACK

Was this page helpful?

Yes No
Provide product feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES



--------------------------------------------------------------------------------

Training

Module

Plan and implement privileged access - Training

Ensuring that administrative roles are protected and managed to increase your
Azure solution security is a must. Explore how to use PIM to protect your data
and resources.

Certification

Microsoft Certified: Identity and Access Administrator Associate -
Certifications

Demonstrate the features of Microsoft Entra ID to modernize identity solutions,
implement hybrid solutions, and implement identity governance.



English (Canada)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024


ADDITIONAL RESOURCES



--------------------------------------------------------------------------------

Training

Module

Plan and implement privileged access - Training

Ensuring that administrative roles are protected and managed to increase your
Azure solution security is a must. Explore how to use PIM to protect your data
and resources.

Certification

Microsoft Certified: Identity and Access Administrator Associate -
Certifications

Demonstrate the features of Microsoft Entra ID to modernize identity solutions,
implement hybrid solutions, and implement identity governance.




IN THIS ARTICLE



English (Canada)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024