AN0773: Analytic 0773
Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement.
Analyst context for executives and security teams
This analytic is about spotting newly granted administrator or role assignments in Microsoft 365/O365. For leaders, the significance is identity control: unexpected privilege elevation in the office suite can support persistence or lateral movement, so it is a high-value signal for SOC triage, incident response scoping, and audit evidence around privileged access governance.
Executive priority
Prioritize this as an identity and cloud security control validation item. Executives should ask whether Microsoft 365/O365 role changes are logged, reviewed, and escalated quickly enough to support business continuity and compliance expectations. The decision value is not just alerting on every role change, but proving that privileged access changes are authorized, attributable, and investigated when they occur outside expected administrative processes.
Technical view
SOC and detection teams should validate visibility into Microsoft 365/O365 admin and role assignment actions. Because ATT&CK does not provide an official detection procedure for this analytic, local implementation must define the specific events, role names, administrative workflows, and approval context that separate expected changes from suspicious elevation. IR teams should treat unexpected role assignment as a pivot point for account review, session review, recent administrative activity, and possible persistence or lateral movement investigation within the Office Suite environment.
Likely telemetry
- Microsoft 365/O365 audit logs for admin and role assignment actions
- Identity and access management records showing who granted, received, or modified privileged roles
- Administrative portal or API activity associated with role management
- Change-management or ticketing evidence for approved privileged access changes
- Account, session, and sign-in context around the actor and newly privileged principal
Detection direction
- Validate that role assignment events are collected with actor, target account, role name, timestamp, source context, and outcome.
- Tune for new, unusual, or high-risk admin role grants, especially when the actor or recipient does not normally perform privileged administration.
- Correlate detections with approved change windows, access request records, and known administrative automation to reduce false positives.
- Review blind spots such as incomplete audit retention, unmonitored administrative interfaces, missing API activity, or logs that do not preserve enough identity context.
- Because no ATT&CK relationship context or tactic mapping is supplied, avoid assuming a specific campaign stage; use the event as an identity-risk trigger requiring local context.
Mitigation priorities
- Establish and enforce governance for Microsoft 365/O365 privileged role assignment, including approval and review expectations.
- Limit standing administrative privilege where operationally feasible and regularly review role membership.
- Ensure audit logging and retention are sufficient to reconstruct role assignment activity during an incident.
- Create response procedures for unauthorized or unexplained role grants, including privilege removal, account review, and investigation of related administrative actions.
- Maintain evidence linking privileged access changes to business justification for compliance and incident readiness.
Analyst notes and limits
The supplied object is a detection analytic, AN0773, for Microsoft 365/O365 admin or role assignment actions. It is platform-scoped to Office Suite and describes privilege elevation used for persistence or lateral movement, but it does not include official detection logic, tactics, relationships, aliases, or related techniques. Local environment baselines and access governance records are necessary to make this analytic operationally useful.
This take is limited to the provided ATT&CK fields and external reference. No active exploitation, actor attribution, specific event IDs, vendor detection names, guaranteed coverage, or relationship-driven technique context is asserted. Confidence is constrained by the absence of official detection details and relationship context.
Analytic 0773
Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7d8a28c1fec1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0773Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.