Changes by or to Privileged accounts [ Azure ]

Detection rule to identify

• Attempted and completed changes
• Privileged account creation
• Changes to authentication methods
• Alert on changes to privileged account permissions
• Unused privileged accounts
• Accounts exempt from Conditional Access
• Addition of a Temporary Access Pass to a privileged account
• Added to eligible privileged role
• Roles assigned out of PIM
• Elevations
• Approvals and deny elevation
• Changes to PIM settings
• Elevation not occurring on SAW/PAW
• Elevation to manage all Azure subscriptions