Azure user removed from restricted administrative unit
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect removal of Entra ID (Azure AD) users from restricted management Administrative Units (AUs). Restricted AUs prevent any user without a specific scoped role assignment from modifying target users who are members of a restricted management AU. Removal of a user intentionally placed in a restricted management AU can result in a protected user being modifiable by directory-level administrators.
Strategy
Monitor Azure Active Directory logs for @properties.category:AdministrativeUnit and @evt.name:"Remove member from restricted management administrative unit" where the event includes a restricted administrative unit.
Triage and response
- Review if restricted administrative units are used by the organization.
- Review evidence of anomalous activity for the user being removed from the restricted administrative unit.
- Determine if there is a legitimate reason for the user being removed from the restricted administrative unit.
