Microsoft.Authorization/elevateAccess/action
Azure
Microsoft.Authorization/elevateAccess/action
Event
Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.
Security Context
- The elevateAccess API is a built-in Azure mechanism that grants a Global Admin the User Access Administrator role at the tenant root management group, providing full RBAC control over every subscription in the tenant.
- This is one of the most powerful privilege escalation actions in Azure — it bridges the gap between Entra ID (directory) and Azure Resource Manager (subscription) permissions, granting complete control over all Azure resources.
Log Source
Azure Activity Log
Sample Event
Compromised Global Administrator draco@fantasticlogs.cloud calls Microsoft.Authorization/elevateAccess/action, granting himself the User Access Administrator role at root scope (/) — the bridge from Entra directory privilege to full Azure Resource Manager control across every subscription in the tenant. subscriptionId is empty and claims.wids carries the real Global Administrator templateId.
{ "authorization": { "action": "Microsoft.Authorization/elevateAccess/action", "scope": "/providers/Microsoft.Authorization" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "iat": "1776506400", "nbf": "1776506400", "exp": "1776595200", "http://schemas.microsoft.com/claims/authnclassreference": "1", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd", "appid": "00001111-aaaa-2222-bbbb-3333cccc4444", "appidacr": "0", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Malfoy", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Draco", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "draco@fantasticlogs.cloud", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "62e90394-69f5-4237-9190-012177145e10", "uti": "elev666AccessUtIDSampL", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-001010011010", "description": "", "eventDataId": "90000000-0000-4000-8000-001010011011", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T17:23:08.4715290Z", "id": "/providers/Microsoft.Authorization/events/90000000-0000-4000-8000-001010011011/ticks/638798112184715290", "level": "Informational", "operationId": "90000000-0000-4000-8000-001010011100", "operationName": { "value": "Microsoft.Authorization/elevateAccess/action", "localizedValue": "Assigns the caller to User Access Administrator role" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Authorization", "localizedValue": "Microsoft.Authorization" }, "resourceType": { "value": "Microsoft.Authorization", "localizedValue": "Microsoft.Authorization" }, "resourceId": "/providers/Microsoft.Authorization", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T17:23:09.0218742Z", "subscriptionId": "", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "requestbody": "{}", "eventCategory": "Administrative", "entity": "/providers/Microsoft.Authorization", "message": "Microsoft.Authorization/elevateAccess/action", "hierarchy": "" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Stealth
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...