Detecting usage of Elevated Access Toggle in Azure environments

As I’ve started looking into Microsoft Azure, one of the risks I’ve identified is that a Global Administrator can elevate access to manage all Azure subscriptions and management groups, this technique is also covered in the Azure Threat Research Matrix as AZT402. My first instinct would be to eliminate this risk completely, which unfortunately is not possible. Global Admins should be rare and well protected, but is still a risk of interest.

Karim El-Melhaoui
Security Architect

Given the risk cannot be completely mitigated, my next instinct is to look for a detective approach. My assumption that the Management Group logs would be part of the Azure Activity logs by default was quickly proven wrong.

I came across two blog posts from @samilamppu that covers two ways of extracting the logs to detect the specific scenario:

samilamppu.com/detect-elevate-access-activity-in-azure-with-microsoft-sentinel-native-capabilities

samilamppu.com/monitor-elevate-access-activity-in-azure-with-azure-sentinel

The problem here is that the data relies on another source, Microsoft Defender for Cloud Apps which all Azure customers may not have due to license constraints.

I did some digging into the API and came across the https://docs.microsoft.com/en-us/rest/api/monitor/management-group-diagnostic-settings, Great!

To enable it on the Tenant Root Level (top-level management group), all I would have to do is run the following one-liner followed by payload:

Copy to Clipboard

one-liner using Azure CLI with REST API

Copy to Clipboard

body.json – Update data on line 3

Now you can navigate to the Workspace and start seeing events with the Hierarchy of your Tenant ID with a 10 minute delay. To filter out values from a top-level Management Group you can use the query below:

Copy to Clipboard

The specific behaviour you are looking to detect is whenever a Global Admin enables the setting below:

To filter out that behaviour, run the query below in Log Analytics. This can also be the basis for your detection:

Copy to Clipboard

And the data returned contains the specific event:

This is in my opinion the simplest way of enabling logging on the Management Group level without depending on additional automation. Keep in mind that a Global Admin can potentially take control of Azure resources through other tactics and this only covers this particular technique.

Karim El-Melhaoui
Security Architect