Azure restricted management administrative unit created

This rule is part of a beta feature. To learn more, contact Support.

Set up the azure integration.



Detect creation of Entra ID (Azure AD) restricted management Administrative Units (AUs). Restricted AUs prevent any user without a specific scoped role assignment from modifying target users who are members of a restricted management AU. This can impact user containment during sensitive incidents if not intentionally configured by the IT team, and may indicate malicious activity.


Monitor Azure Active Directory logs for @properties.category:AdministrativeUnit and"Add administrative unit" where the event includes a restricted administrative unit.

Triage and response

  1. Review if restricted administrative units are used by the organization.
  2. Review evidence of anomalous activity for the user creating a restricted administrative unit.
  3. Determine if there is a legitimate reason for the user creating a restricted administrative unit.
PREVIEWING: dgreen15/github-error-fix