This detection rule focuses on identifying the assignment of sensitive and privileged roles within Azure Active Directory (Azure AD), a potential vector for adversaries looking to gain persistent access to environments via compromised accounts. By monitoring operations that add users to privileged roles, the rule aims to provide visibility into unauthorized changes that signify a compromise. The detection leverages data collected from the Office 365 Universal Audit Log, which includes information about role assignments. The searches evaluate specific operations related to role assignments and filters the results based on whether the assigned role is deemed privileged according to a defined lookup table. This makes it a crucial component for maintaining the security posture of Azure AD environments by alerting on actions that could lead to escalations in privilege that attackers often exploit.