This detection rule monitors Azure Active Directory (Azure AD) for instances where roles are added to users, a technique often associated with privilege escalation tactics. The rule leverages Azure activity logs specifically focusing on the commands `Add-AzureADDirectoryRoleMember` and `AssignPermanentEligibleRole`. By querying these specific actions via Splunk, it captures relevant details surrounding the user role assignment activity, including time, host information, user identity, and IP source. Additionally, the captured attributes include event-related data such as MFA status and permissions, all of which provide context for understanding the significance of role assignments that could potentially enhance user privileges in Azure AD. This detection aims to identify anomalous or unauthorized manipulation of user roles which could lead to security concerns if exploited.