This detection rule identifies modifications made to Azure Active Directory Privileged Identity Management (PIM) roles, indicating potential abuse by adversaries seeking persistence in their targets' environments. PIM is a critical service for managing access to Azure resources, including roles like Global Administrator and Application Administrator. Unauthorized changes to role settings can suggest that an attacker has gained sufficient access rights to compromise security measures. The detection is based on Azure audit logs that reflect successful updates to role settings in PIM. Recommended investigation steps include verifying the user account action, analyzing associated alerts, assessing the legitimacy of the command based on times and geolocation, and ensuring compliance with change management policies. Should suspicious activity be confirmed, the response may include disabling affected accounts, restoring PIM roles, and following up on incident response protocols to mitigate the risk of lateral movement and further compromise.