Office Protect Event - Administrator Role Change

Multiple types of actions can trigger this event: 


  • New administrator created
  • Administrator account deleted
  • User granted administrator rights
  • User revoked administrator rights


Privilege escalation is a big part of hacker behavior. Any changes to administrative privileges should be a big red flag and closely monitored. 


It is recommended to follow the "Principle of Least Privilege" for your tenant’s administrator accounts. This means that your administrators should be able to have just the minimum of permissions to perform their day-to-day activities.

 



Remediation

 

If the Administrator Role Change is considered suspicious, we recommend looking at the activity surrounding this user using the Unified Audit Logs and the Sign-In Audit Logs. If possible, consider disabling the account that’s been granted administrator privileges until the investigation is complete.


You can filter activity on the Azure Active Directory using the User Principal Name provided in the event. Look for changed passwords, Exchange Rules created, other user creation done by the admin.


Note: Office Protect provides tools to audit your organizations’ admins with Advanced Report. 


 

Microsoft also provides tools to allow better control of admins, such as Access Review, which is a process you can automate to audit certain roles and groups within your organization.  You can also implement Privileged Identity Management (PIM) in your organization to grant temporary permissions to certain users so they can perform their required tasks.

 

Note that Access Reviews and Privileged Identity Management are available with Azure AD Premium P2 licenses. 

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview