Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert

The following rules are used to identify suspicious Microsoft Entra changes to privileged role assignment. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Role Assignment Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Bulk Deletion Changes to Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

PIM Approvals and Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

User Added to Privilege Role

Detects when a user is added to a privileged role.