Overview
This article describes how you can use the Actor ID to investigate who or what triggered the detection Azure: AD Global Admin Role Assignment, which can be related to one of the following scenarios:
-
- A service principal (first-party Microsoft app) was granted global administrator privileges to perform processes.
- A user was assigned a global administrator role.
Sometimes, these are related to safe events and the finding can be resolved as an expected configuration change after you use the Actor ID to confirm who or what made the permissions change.
Investigating the actor of the finding
For findings created prior to January 31, 2023, you can review the finding's info
field under Matched Evidence to gather the Object ID and Actor ID before investigating further in your Azure Active Directory admin center.
Findings created after January 31 include actor id
as a separate field in the matched evidence table. If the ID matches a different Microsoft application that is expected in your environment, it is possible that the finding relates to safe activity, and it can be resolved as a false positive.
To determine if the actor is a first-party Microsoft application or service principal, do one of the following:
- Verify identity in the Azure AD admin center:
- Navigate to Dashboard > Enterprise Applications > All Applications.
- In the Application Type box, select Microsoft Applications then click Apply.
- In the search box below the selectable drop-down menus, type the Application ID you obtained from the info field in the finding.
- Use one of the PowerShell modules below to query the entire Azure tenant with the ObjectID(s).
- Using the azuread module (Note: Microsoft plans to deprecate this module in June 2023):
- If you need to install the azuread module in PowerShell, run
Install-Module AzureAD
andImport-Module AzureAD
, then authenticate by runningConnect-AzureAD
. - Run this command for the query, pasting in the ObjectID value(s) provided in the finding(s):
Get-AzureADObjectByObjectId -ObjectIds <ObjectID1>, <ObjectID2>
- If you need to install the azuread module in PowerShell, run
- Using the Microsoft Graph PowerShell module:
- If you need to install the Microsoft Graph module in PowerShell, run
Install-Module Microsoft.Graph
andImport-Module Microsoft.Graph
then authenticate by runningConnect-MgGraph
. - Run this command for the query, pasting in the ObjectID value provided in the finding:
Get-MgDirectoryObjectById -Ids <ObjectID>
Tip: If working with multiple findings or ObjectIDs, you must run the command separately for each ObjectID:
- If you need to install the Microsoft Graph module in PowerShell, run
- Using the azuread module (Note: Microsoft plans to deprecate this module in June 2023):
We also recommend checking the URLs included in the finding's info
field. The finding may be a false positive if a variation of these URLs is in the evidence:
Reference:
- Verify first-party Microsoft applications in sign-in reports - Active Directory
- View service principal of a managed identity in the Azure portal - Azure AD - Microsoft Entra
- Authenticate Python apps to Azure services during local development using service principals
- Managed identities for Azure resources - Microsoft Entra
- Find Tenant ID, Object ID, and partner association details in Azure Marketplace