This detection rule identifies when a user elevates their privileges to the 'User Access Administrator' role in Microsoft Entra ID (Azure AD). The User Access Administrator role permits users to manage access to Azure resources, making it a critical role that can be exploited by adversaries to gain unauthorized access and perform privilege escalation. The rule is designed as a New Terms type, triggering alerts only if the specified user has not already performed this privilege elevation in the last 14 days, thus reducing false positives related to routine administrative activities. Investigative steps are outlined to confirm the legitimacy of the access elevation, including reviewing user identity, geographical location of the action, application details involved in the elevation, and any associated Azure sign-in logs. Response measures are also detailed, emphasizing rapid action in case of unauthorized access, including role removal and account lockdown to protect sensitive resources.