This detection rule monitors Azure Subscription permission changes by examining Azure Audit Logs. Specifically, it detects when a user is elevated to manage all Azure subscriptions through the assignment of the 'user access admin' role. This kind of elevation can pose a significant security risk, as unauthorized access to Azure subscriptions may allow malicious actors to manipulate settings, access sensitive data, or perform other dangerous actions within an organization's cloud environment. If this elevation is not part of an approved management process, it should trigger an immediate investigation to confirm whether the change was authorized. The rule operates by filtering Audit Logs for specific administrative operations related to role assignments and can help bolster an organization's security posture by flagging potentially malicious activities.