This analytic detects the assignment of privileged roles in Azure Active Directory (Azure AD) by monitoring the "Add member to role" operation in Azure AD audit logs. The main purpose of this rule is to identify potential unauthorized privilege escalations which can occur when adversaries assign privileged roles to compromised accounts as a step to maintain persistence and control within the Azure AD environment. Recognizing such activities is critical as it allows attackers to potentially escalate privileges, access sensitive data, and sustain long-term unauthorized access over Azure infrastructure. To implement this detection, the Splunk Add-on for Microsoft Cloud Services must be installed to process Azure AD event logs, specifically the audit events. System administrators should also note that legitimate administrative role assignments may trigger this rule, hence careful filtering and contextual investigation is encouraged to minimize false positives.