Skip to content
TheCloud.Events

Microsoft.Authorization/elevateAccess/action

CSP: Azure
Tactics:
Privilege Escalation
Techniques:
T1078.004
Tags:
Azure Authorization

Event

Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.

Security Context

  • The elevateAccess API is a built-in Azure mechanism that grants a Global Admin the User Access Administrator role at the tenant root management group, providing full RBAC control over every subscription in the tenant.
  • This is one of the most powerful privilege escalation actions in Azure — it bridges the gap between Entra ID (directory) and Azure Resource Manager (subscription) permissions, granting complete control over all Azure resources.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Privilege Escalation

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...