This detection rule identifies unauthorized assignments to the Global Administrator role within Azure Active Directory (Azure AD), which holds significant administrative privileges across Microsoft 365 services such as Exchange and SharePoint. Attackers may exploit this access to grant themselves or accomplices full control over organizational resources. The rule relies on monitoring audit logs from Office 365 for specific events that indicate role changes, particularly those involving the addition of users to the Global Administrator role. Investigation steps include reviewing relevant audit logs to identify the user and actions associated with any unauthorized role assignments, assessing the behavior of the user who performed the assignment, and ensuring timely removal of any unauthorized access. Alerts may trigger from legitimate administrative tasks, necessitating careful evaluation to filter false positives, especially during periods of organizational change or maintenance. Additionally, the rule outlines necessary responses for unauthorized access events, including remediation action steps and the implementation of broader security measures like conditional access.