Office Protect Event - Administrator Role Change

Multiple types of actions can trigger this event: 


  • New administrator created
  • Administrator account deleted
  • User granted administrator rights
  • User revoked administrator rights


Privilege escalation is a big part of hacker behavior. Any changes to administrative privileges should be a big red flag and closely monitored. 


Remediation

 

If the Administrator Role Change is considered suspicious, we recommend looking at the activity surrounding this user using the Unified Audit Logs and the Sign-In Audit Logs. If possible, consider disabling the account that’s been granted administrator privileges until the investigation is complete.


You can filter activity on the Azure Active Directory using the User Principal Name provided in the event. Look for changed password, Exchange Rules created, other user creation done by the admin.


The "Principle of Least Privilege" should be followed for your tenant’s administrator accounts. This means that your administrators should be able to have just the minimum of permissions to perform their day-to-day activity.

 

Office Protect provides tools to audit your organizations’ admins with Advanced Report.

 

Microsoft also provides tools to allow a better control of admins, such as Access Review, which is a process you can automate to audit certain roles and group within your organization.  You can also implement Privileged Identity Management (PIM) in your organization to grant temporary permissions to certain users so they can perform their required tasks.

 

Note that Access Reviews and Privileged Identity Management are available with Azure AD Premium P2 licenses. 

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview