If you’re responsible for securing Azure, you should know about Azure’s Apex Permissions: Elevate Access & The Logs Security Teams Overlook because it exposes a critical security blindspot affecting virtually every Azure environment.
Nathan Eades and the Permiso team provide a technical deep-dive into Azure’s “Elevate Access” feature. This is a powerful mechanism that grants Global Administrators complete control over an entire Azure environment, but with activity logs hidden where most security teams never look.
The Security Blindspot
Azure’s “Elevate Access” feature creates a perfect storm of security issues:
- It grants full control over the entire Azure environment at the rarely-seen “root scope” (/) level
- Its activity is hidden in non-standard logs that require special permissions to access
- Attackers can maintain persistence by granting privileged roles to ordinary identities
- These root-level permissions override all other Azure RBAC controls
- Microsoft’s documentation incorrectly describes how it works, leading security teams to monitor the wrong places
Permiso’s Findings on Logging Challenges
- Elevate Access operations appear only in Azure Monitor Directory Activity Logs
- These logs can’t be forwarded to security tools using standard diagnostic settings
- Microsoft’s preview adds Elevate Access events to Entra ID Audit Logs, but only captures the initial activation
Permiso’s Recommended Detection & Mitigation Methods
You can defend against and detect issues with Elevate Access by following Permiso’s recommendations. (details in article)
Detect the issue
- Monitor for Microsoft.Authorization/elevateAccess/action in Directory Activity Logs
- Track role assignments at the root scope (/)
- Watch for unusual Cloud Shell usage that may indicate CLI-based privilege escalation
Minimize the attack surface
- Limit Global Administrators to fewer than 5
- Educate Administrators about Elevate Access risks
- Use PIM with approval workflows for Global Administrator activation
Break the logging catch-22
- Create a security service principal with Reader permissions at root scope
- Configure monitoring for both Directory Activity and Audit logs
- Alert on suspicious privilege escalation patterns
More helpful Azure IAM resources
- Permiso’s full article: Azure’s Apex Permissions: Elevate Access & The Logs Security Teams Overlook
- Microsoft’s documentation on Elevate Access – Official reference with scope inaccuracies as noted by Permiso
- Azure PIM Best Practices
IAM Fun Fact (via Permiso!)
Microsoft now logs Elevate Access activity in Entra ID Audit Logs, but only the initial toggle. Critical root scope role assignments still aren’t visible there. Make sure you’re collecting Directory Activity Logs too!
🎩 Tip of the cap to Nathan Eades and the Permiso Security team for their exceptional research.
Stay up to date with The Effective IAM Newsletter:
Recent Comments