The rule identifies unauthorized additions of users to the Azure Active Directory (AD) Global Administrator role within Privileged Identity Management (PIM). PIM is crucial for managing access to sensitive resources, whereby users with Global Administrator privileges can modify any administrative settings. Adversaries may attempt to exploit PIM by adding themselves or other unauthorized accounts to this powerful role, gaining potential persistent control over environments. This detection leverages specific Azure audit logs to monitor events categorized under Role Management, thereby flagging suspicious role assignments involving Global Administrator access.