Skip to content

Microsoft.Authorization/elevateAccess/action

Azure

Microsoft.Authorization/elevateAccess/action

service: Azure - Authorization
techniques:

Event

Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.

Security Context

  • The elevateAccess API is a built-in Azure mechanism that grants a Global Admin the User Access Administrator role at the tenant root management group, providing full RBAC control over every subscription in the tenant.
  • This is one of the most powerful privilege escalation actions in Azure — it bridges the gap between Entra ID (directory) and Azure Resource Manager (subscription) permissions, granting complete control over all Azure resources.

Log Source

Azure Activity Log

Sample Event

Compromised Global Administrator draco@fantasticlogs.cloud calls Microsoft.Authorization/elevateAccess/action, granting himself the User Access Administrator role at root scope (/) — the bridge from Entra directory privilege to full Azure Resource Manager control across every subscription in the tenant. subscriptionId is empty and claims.wids carries the real Global Administrator templateId.

{
"authorization": {
"action": "Microsoft.Authorization/elevateAccess/action",
"scope": "/providers/Microsoft.Authorization"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"iat": "1776506400",
"nbf": "1776506400",
"exp": "1776595200",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"appid": "00001111-aaaa-2222-bbbb-3333cccc4444",
"appidacr": "0",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Malfoy",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Draco",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "draco@fantasticlogs.cloud",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "62e90394-69f5-4237-9190-012177145e10",
"uti": "elev666AccessUtIDSampL",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-001010011010",
"description": "",
"eventDataId": "90000000-0000-4000-8000-001010011011",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:23:08.4715290Z",
"id": "/providers/Microsoft.Authorization/events/90000000-0000-4000-8000-001010011011/ticks/638798112184715290",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-001010011100",
"operationName": {
"value": "Microsoft.Authorization/elevateAccess/action",
"localizedValue": "Assigns the caller to User Access Administrator role"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "Microsoft.Authorization",
"localizedValue": "Microsoft.Authorization"
},
"resourceType": {
"value": "Microsoft.Authorization",
"localizedValue": "Microsoft.Authorization"
},
"resourceId": "/providers/Microsoft.Authorization",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:23:09.0218742Z",
"subscriptionId": "",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"requestbody": "{}",
"eventCategory": "Administrative",
"entity": "/providers/Microsoft.Authorization",
"message": "Microsoft.Authorization/elevateAccess/action",
"hierarchy": ""
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...