ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Entra ID • Privilege Escalation Investigation

The User Was Added To A Privileged Group At 3:12AM

The sign-in looked normal.

No impossible travel alert. No malware detection. No suspicious inbox rule. Just another successful Microsoft 365 login.

But at 3:12AM, something changed quietly inside Microsoft Entra ID.

The user was added to a privileged role.

Global Administrator.

No one noticed until hours later. The dashboard looked healthy. The tenant wasn’t.

This Agent Foskett briefing investigates Microsoft 365 privilege escalation, suspicious role assignments, overnight administrative access and the quiet indicators that often appear before a full cloud compromise.

Discuss your environment Back to Investigation Hub
Agent Foskett Microsoft Entra privileged group role assignment investigation
Briefing summary

A quiet role assignment can become a complete Microsoft 365 takeover. GEMXIT investigates suspicious Entra ID role additions, Global Administrator escalation, PIM abuse and overnight privilege changes that often bypass traditional alerts.

Investigate privileged role assignments
Review overnight admin escalation
Hunt suspicious Entra ID activity
🚨 The sign-in looked normal. The role assignment did not.
In Microsoft Entra ID, privilege escalation can happen quietly through role assignments, PIM activation and administrative group changes long before an alert fires.
Book a security review →

What happened

The account was legitimate. The MFA challenge was valid. The device looked trusted. Nothing appeared malicious from the surface. But inside the tenant, the user suddenly gained administrative privileges they should never have had.
The role assignment happened overnight The user was quietly added to a privileged Microsoft Entra ID role outside normal business hours.
The account already looked trusted Because the identity already existed, the privilege escalation blended into otherwise legitimate cloud activity.
No one noticed immediately Many organisations monitor malware and phishing heavily, but role assignments inside Entra ID often receive far less attention.
Privilege was expanded The user gained access to powerful administrative actions that could affect users, policies, applications and security controls.
The dashboard looked quiet Nothing screamed compromise until AuditLogs revealed the overnight administrative change.
AuditLogs told the truth AuditLogs and SigninLogs can reveal who made the change, when it happened, and what the account did next.

Why privilege escalation matters

Once an attacker gains administrative access inside Microsoft 365, the investigation changes completely. Administrative privileges can provide access to mailboxes, security settings, Conditional Access policies, user accounts, OAuth applications and security tooling itself.
Global Administrator access changes everything A single privileged role assignment can become full tenant control if it is not identified quickly.
Persistence becomes easier Attackers can use role assignments and administrative accounts to maintain quiet long-term access.
The activity often looks legitimate Because the actions occur inside trusted Microsoft services, many escalations blend into normal administrative activity.

First hunt: investigate privileged role assignments

Start by identifying role assignment activity inside AuditLogs. Overnight changes, unusual initiators and unexpected administrative roles deserve immediate review.
privileged-role-assignment-investigation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName =~ "admin@company.com"
| project TimeGenerated,
          UserPrincipalName,
          IPAddress,
          Location,
          AppDisplayName,
          ConditionalAccessStatus,
          DeviceDetail,
          AuthenticationRequirement
| order by TimeGenerated desc
What to review Focus on Global Administrator, Privileged Role Administrator, Exchange Administrator and Security Administrator assignments.
Why it matters Privilege escalation is often the turning point between a compromised user account and a compromised tenant.
Best next pivot Investigate the sign-ins and device activity associated with the initiating account before the role assignment occurred.

Second hunt: investigate suspicious administrative sign-ins

Once a privileged role assignment has been identified, pivot into the sign-in activity surrounding the event. The key is to understand whether the administrator action came from the right person, device and location.
privileged-user-signin-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
AuditLogs
| where TimeGenerated > ago(14d)
| where TargetResources has "user@company.com"
| where OperationName has_any (
    "Update user",
    "Disable account",
    "Reset password",
    "Revoke user sign in sessions"
)
| project TimeGenerated,
          OperationName,
          Result,
          InitiatedBy,
          TargetResources
| order by TimeGenerated desc
What to review Review whether the initiating administrator signed in from an expected location, device and client application.
Why it matters A normal-looking sign-in can still be dangerous when it immediately leads to privilege escalation.
Best next pivot Pivot from sign-ins into admin actions, mailbox access, app consent and Conditional Access policy changes.

Third hunt: look for changes after privilege escalation

After an account receives privileged access, the next question is simple: what changed next? Look for policy edits, user updates, app consent, mailbox permissions and security configuration changes.
post-escalation-admin-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
let EscalationTime = datetime(2026-05-20T03:12:00Z);
AuditLogs
| where TimeGenerated > EscalationTime
| where OperationName has_any (
    "Update conditional access policy",
    "Add service principal",
    "Consent to application",
    "Add app role assignment",
    "Update user",
    "Add member to role"
)
| project TimeGenerated,
          OperationName,
          InitiatedBy,
          TargetResources,
          Result
| order by TimeGenerated desc
What to review Look for Conditional Access edits, OAuth app consent, user changes, additional role assignments and security control modifications.
Why it matters After privilege escalation, the attacker may begin preparing persistence, weakening controls or expanding access.
Best next pivot Compare these changes with the initiating account, sign-in location, device details and any related Defender XDR incidents.

Where this becomes dangerous

Administrative access inside Microsoft 365 is not only about visibility. It is about control. Once the wrong account has the right role, the tenant can be changed from the inside.
Conditional Access can be changed Attackers with privileged access may weaken or disable protections designed to stop them.
Security tooling can be impacted Administrative access can affect Microsoft Defender, Sentinel integrations and alert visibility.
New persistence paths appear OAuth app consent, mailbox permissions, forwarding rules and additional admin accounts can all be created quietly after escalation.
Tenant takeover risk With enough privilege, attackers can reset passwords, modify users, change controls and create long-term access paths.
Audit fatigue Important administrative events can become buried inside normal Microsoft 365 operational noise.
False confidence The most dangerous moment is when the role assignment succeeds quietly and everyone assumes the tenant is still safe.

What should organisations do?

Administrative access should be treated as one of the highest-risk areas inside Microsoft 365 and Entra ID.
Review role assignments regularly Administrative role changes should be monitored continuously, especially outside business hours.
Use Privileged Identity Management Just-in-time access and approval workflows reduce long-term standing privilege exposure.
Hunt beyond the alert The absence of a high-severity alert does not mean privilege escalation did not occur.
Limit standing admin access Permanent administrative roles should be reduced wherever possible and reviewed frequently.
Alert on privileged changes Role assignments, PIM activations and policy changes should generate immediate review workflows.
Align with Zero Trust Access should continuously depend on identity, device trust, role need, risk and business context — not permanent privilege.

How GEMXIT approaches privilege escalation reviews

At GEMXIT, we do not only ask whether the sign-in succeeded. We investigate what changed after the sign-in, which roles were granted, and whether administrative access was expected.
We review the privilege trail Who assigned the role? When did it happen? Which account was elevated? Was the action expected?
We validate real impact Logs are used to confirm whether Microsoft 365, Entra ID, Conditional Access, mailbox settings or app permissions were changed after escalation.
We reduce practical risk The goal is not theory. The goal is to identify quiet administrative access before it becomes tenant-wide compromise.
The role assignment happened overnight. The session still needed to be hunted.
GEMXIT helps organisations review Microsoft 365, Entra ID, Conditional Access, PIM, privileged roles and security operations controls to reduce quiet administrative access risk.
Contact GEMXIT

Final thought

The compromise did not begin with ransomware. It began with a role assignment no one noticed.
At GEMXIT We help organisations review Microsoft 365, Entra ID, Defender XDR, Sentinel, Conditional Access and PIM to identify suspicious role assignments, privilege escalation and administrative access risks before they become incidents.
Agent Foskett mindset The important question is not: “Was the user compromised?”

It is: “Why did they suddenly become an administrator at 3:12AM?”

Continue the investigation with The User Passed MFA But It Wasn't Really Them, The Session Token Never Expired, The Login Came Through A Trusted Device, The Dashboard Was Green, MFA Session Hijacking, Identity and Access Security, Entra ID Security, Zero Trust and the GEMXIT Security Review.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Microsoft Entra ID Privilege Escalation Investigation

This Agent Foskett briefing explains how suspicious Microsoft Entra ID role assignments, Global Administrator additions and privilege escalation events can quietly lead to tenant compromise inside Microsoft 365.

AuditLogs Role Assignment Hunting

GEMXIT investigates privileged role additions, PIM activity, suspicious overnight administrative changes and Microsoft 365 privilege escalation using AuditLogs, SigninLogs and Defender XDR telemetry.

Microsoft 365 Administrative Security Review

Example investigation areas include Global Administrator assignment review, Privileged Identity Management, Conditional Access abuse, suspicious admin sign-ins, OAuth persistence and Microsoft Entra ID tenant security monitoring.