Quick Links

Using the Actor ID to verify activity in Azure Global Admin findings

Overview

This article describes how you can use the Actor ID to investigate who or what triggered the "Azure: Entra ID Global Admin Role Assignment" detection, which can be related to one of the following scenarios:

  • A service principal (first-party Microsoft app) was granted global administrator privileges to perform processes.
  • A user was assigned a global administrator role.

Sometimes, these are related to safe events, and the finding can be resolved as an expected configuration change after you use the Actor ID to confirm who or what made the permissions change.

Investigating the actor of the finding

For findings created prior to January 31, 2023, you can review the finding's info field under Matched Evidence to gather the Object ID and Actor ID before investigating further in your Azure Active Directory admin center.

Findings created after January 31 include actor id as a separate field in the matched evidence table. If the ID matches a different Microsoft application that is expected in your environment, it is possible that the finding relates to safe activity, and it can be resolved as a false positive.

To determine if the actor is a first-party Microsoft application or service principal, do one of the following:

  • Verify identity in the Azure AD admin center:
    1. Navigate to Dashboard > Enterprise Applications > All Applications.
    2. In the Application Type box, select Microsoft Applications then click Apply.
    3. In the search box below the selectable drop-down menus, type the Application ID you obtained from the info field in the finding.
  • Using the Microsoft Graph PowerShell module, query the entire Azure tenant with the ObjectID(s):
    1. If you need to install the Microsoft Graph module in PowerShell, run Install-Module Microsoft.Graph and Import-Module Microsoft.Graph then authenticate by running Connect-MgGraph.
    2. Run this command for the query, pasting in the ObjectID value provided in the finding:
      Get-MgDirectoryObjectById -Ids <ObjectID>
      Tip: If working with multiple findings or ObjectIDs, you must run the command separately for each ObjectID:

We also recommend checking the URLs included in the finding's info field. The finding may be a false positive if a variation of these URLs is in the evidence:

Reference: