Azure user added to restricted management administrative unit
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detects addition of Entra ID (Azure AD) users to restricted management Administrative Units (AUs). Restricted AUs prevent any user without a specific scoped role assignment from modifying target users who are members of a restricted management AU. Addition of a user to a restricted management AU can impact user containment during sensitive incidents if not intentionally configured by the IT team, and may indicate malicious activity.
Strategy
Monitor Azure Active Directory logs for @properties.category:AdministrativeUnit and @evt.name:"Add member to restricted management administrative unit" where the event includes a restricted administrative unit.
Triage and response
- Review if restricted administrative units are used by the organization.
- Review evidence of anomalous activity for the user being added to the restricted administrative unit.
- Determine if there is a legitimate reason for the user to be added to the restricted administrative unit.
