Verifying activity related to "Indicator: Azure AD Global Administrator Role Assignment" detections

If your organization receives a Blumira finding related to the "Indicator: Azure AD Global Administrator Role Assignment" detection, it is possible that the activity is safely related to a service principal or first-party application in your environment.

In some cases, the actions that triggered the finding are associated with the Partner Customer Delegated Admin Offline Processor service principal (Application ID: a3475900-ccec-4a69-98f5-a65cd5dc5306).

Currently, Blumira findings for this detection do not include the application name for immediate correlation of the activity. You can review the finding's info field under Matched Evidence to gather the ObjectID and ActorId before investigating further in your Azure Active Directory admin center. 

If the ID matches a known Microsoft application that is expected in your environment, it is possible that the finding relates to safe activity, and it can be resolved as a false positive.

To determine if the actor in your finding is a first-party Microsoft application, do one of the following:

• Verify identity in the Azure AD admin center:
  1. Navigate to Dashboard > Enterprise Applications > All Applications.
  2. In the Application Type box, select Microsoft Applications then click Apply.
  3. In the search box below the selectable drop-down menus, type the Application ID you obtained from the info field in the finding.
• Use one of the PowerShell modules below to query the entire Azure tenant with the ObjectID(s).
  • Using the azuread module (Note: Microsoft plans to deprecate this module in 2023):
    1. If you need to install the azuread module in PowerShell, run Install-Module AzureAD and Import-Module AzureAD, then authenticate by running Connect-AzureAD.
    2. Run this command for the query, pasting in the ObjectID value(s) provided in the finding(s):
       Get-AzureADObjectByObjectId -ObjectIds <ObjectID1>, <ObjectID2>
  • Using the Microsoft Graph PowerShell module:
    1. If you need to install the Microsoft Graph module in PowerShell, run Install-Module Microsoft.Graph and Import-Module Microsoft.Graph then authenticate by running Connect-MgGraph.
    2. Run this command for the query, pasting in the ObjectID value provided in the finding:
       Get-MgDirectoryObjectById -Ids <ObjectID>
       Tip: If working with multiple findings or ObjectIDs, you must run the command separately for each ObjectID:

We also recommend checking the URLs included in the finding's info field. The finding may be a false positive if a variation of these URLs is in the evidence:

• https://mspim.onmicrosoft.com/
• https://api.*name*.mspim.azure.com

Reference:

• Verify first-party Microsoft applications in sign-in reports - Active Directory
  • Application IDs for commonly used Microsoft applications
• View service principal of a managed identity in the Azure portal - Azure AD - Microsoft Entra
• Authenticate Python apps to Azure services during local development using service principals
• Managed identities for Azure resources - Microsoft Entra
• Find Tenant ID, Object ID, and partner association details in Azure Marketplace