This detection rule identifies potential privilege escalation threats within Azure Active Directory (AD) resulting from the assignment of privileged roles to service principals. Service principals are non-human identities that may have elevated permissions, which can lead to unauthorized access and exploitation of resources if compromised. The rule operates on the Office 365 Universal Audit Log, monitoring specific operations such as adding members to roles. By analyzing these changes, the detection looks for scenarios where service principals are elevated without proper authorization. False positives can occur when legitimate administrative actions happen, necessitating a review to filter out benign events. Overall, this rule is crucial for maintaining the security posture by ensuring that only authorized entities are assigned powerful roles within the Azure AD environment.