Skip to content

Add Eligible Member To Role In Pim Completed

Azure

Add Eligible Member To Role In Pim Completed

service: Azure - Microsoft Entra ID
techniques:

Event

Adds a user as an eligible member for a privileged role in Azure PIM, allowing them to activate the role on demand.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud (already a Privileged Role Administrator following the elevateAccess chain) creates a permanent PIM eligible assignment of the Global Administrator role on his own account. This sets up an unprivileged baseline (no role active, low signal) plus the ability to JIT-activate Global Admin whenever needed — a stealthier persistence pattern than holding the role active. loggedByService is PIM, category is RoleManagement, operationType is Add. targetResources reflect both the user receiving the eligibility and the role template being made eligible.

{
"id": "Directory_90000000-0000-4000-8000-000001100101_2B7E5_60718244",
"category": "RoleManagement",
"correlationId": "90000000-0000-4000-8000-000001100101",
"result": "success",
"resultReason": "",
"activityDisplayName": "Add eligible member to role in PIM completed (permanent)",
"activityDateTime": "2026-04-15T18:21:33.0884712Z",
"loggedByService": "PIM",
"operationType": "Add",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"type": "User",
"userPrincipalName": "draco@fantasticlogs.cloud",
"groupType": null,
"modifiedProperties": [
{
"displayName": "Role.DisplayName",
"oldValue": "[]",
"newValue": "[\"Global Administrator\"]"
},
{
"displayName": "Role.TemplateId",
"oldValue": "[]",
"newValue": "[\"62e90394-69f5-4237-9190-012177145e10\"]"
},
{
"displayName": "Role.ObjectId",
"oldValue": "[]",
"newValue": "[\"50000000-0000-4000-8000-000000000001\"]"
},
{
"displayName": "Member.Type",
"oldValue": "[]",
"newValue": "[\"User\"]"
},
{
"displayName": "Assignment.Scope",
"oldValue": "[]",
"newValue": "[\"/\"]"
},
{
"displayName": "Assignment.Type",
"oldValue": "[]",
"newValue": "[\"Eligible\"]"
},
{
"displayName": "Assignment.AssignmentState",
"oldValue": "[]",
"newValue": "[\"Eligible\"]"
},
{
"displayName": "Assignment.IsPermanent",
"oldValue": "[]",
"newValue": "[true]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"Role.DisplayName, Role.TemplateId, Role.ObjectId, Member.Type, Assignment.Scope, Assignment.Type, Assignment.AssignmentState, Assignment.IsPermanent\""
}
]
},
{
"id": "62e90394-69f5-4237-9190-012177145e10",
"displayName": "Global Administrator",
"type": "Role",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": []
}
],
"additionalDetails": [
{
"key": "RequestType",
"value": "AdminAdd"
},
{
"key": "User-Agent",
"value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)"
}
]
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...