Skip to content

Add Member To Role

Azure

Add Member To Role

service: Azure - Microsoft Entra ID
techniques:

Event

Directly assigns a user or service principal to an Entra ID directory role, granting that role’s permissions.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Entra ID Audit Logs

Sample Event

Hermione (Privileged Role Administrator) directly assigns draco to the Global Administrator role — a high-impact privilege change a SOC should treat as a P0 detection candidate.

{
"id": "Directory_10000000-0000-4000-8000-000000000001_F1A2B_398214567",
"category": "RoleManagement",
"correlationId": "90000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"result": "success",
"resultReason": "",
"activityDisplayName": "Add member to role",
"activityDateTime": "2026-04-15T13:42:11Z",
"loggedByService": "Core Directory",
"operationType": "Assign",
"initiatedBy": {
"user": {
"id": "30000000-0000-4000-8000-000000000001",
"displayName": "Hermione Granger",
"userPrincipalName": "hermione@fantasticlogs.cloud",
"ipAddress": "198.51.100.42"
}
},
"targetResources": [
{
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"type": "User",
"userPrincipalName": "draco@fantasticlogs.cloud",
"modifiedProperties": [
{
"displayName": "Role.DisplayName",
"oldValue": null,
"newValue": "\"Global Administrator\""
},
{
"displayName": "Role.TemplateId",
"oldValue": null,
"newValue": "\"62e90394-69f5-4237-9190-012177145e10\""
},
{
"displayName": "Role.ObjectId",
"oldValue": null,
"newValue": "\"50000000-0000-4000-8000-000000000001\""
}
]
},
{
"id": "62e90394-69f5-4237-9190-012177145e10",
"displayName": "Global Administrator",
"type": "Role",
"modifiedProperties": []
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
}
]
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...