Add Eligible Member To Role In Pim Completed
Add Eligible Member To Role In Pim Completed
Event
Adds a user as an eligible member for a privileged role in Azure PIM, allowing them to activate the role on demand.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud (already a Privileged Role Administrator following the elevateAccess chain) creates a permanent PIM eligible assignment of the Global Administrator role on his own account. This sets up an unprivileged baseline (no role active, low signal) plus the ability to JIT-activate Global Admin whenever needed — a stealthier persistence pattern than holding the role active. loggedByService is PIM, category is RoleManagement, operationType is Add. targetResources reflect both the user receiving the eligibility and the role template being made eligible.
{ "id": "Directory_90000000-0000-4000-8000-000001100101_2B7E5_60718244", "category": "RoleManagement", "correlationId": "90000000-0000-4000-8000-000001100101", "result": "success", "resultReason": "", "activityDisplayName": "Add eligible member to role in PIM completed (permanent)", "activityDateTime": "2026-04-15T18:21:33.0884712Z", "loggedByService": "PIM", "operationType": "Add", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "type": "User", "userPrincipalName": "draco@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [ { "displayName": "Role.DisplayName", "oldValue": "[]", "newValue": "[\"Global Administrator\"]" }, { "displayName": "Role.TemplateId", "oldValue": "[]", "newValue": "[\"62e90394-69f5-4237-9190-012177145e10\"]" }, { "displayName": "Role.ObjectId", "oldValue": "[]", "newValue": "[\"50000000-0000-4000-8000-000000000001\"]" }, { "displayName": "Member.Type", "oldValue": "[]", "newValue": "[\"User\"]" }, { "displayName": "Assignment.Scope", "oldValue": "[]", "newValue": "[\"/\"]" }, { "displayName": "Assignment.Type", "oldValue": "[]", "newValue": "[\"Eligible\"]" }, { "displayName": "Assignment.AssignmentState", "oldValue": "[]", "newValue": "[\"Eligible\"]" }, { "displayName": "Assignment.IsPermanent", "oldValue": "[]", "newValue": "[true]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Role.DisplayName, Role.TemplateId, Role.ObjectId, Member.Type, Assignment.Scope, Assignment.Type, Assignment.AssignmentState, Assignment.IsPermanent\"" } ] }, { "id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "userPrincipalName": null, "groupType": null, "modifiedProperties": [] } ], "additionalDetails": [ { "key": "RequestType", "value": "AdminAdd" }, { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...