This rule detects the assignment of new roles within Microsoft 365 Exchange Management that may indicate potential unauthorized access or persistence by an adversary. When an attacker gains access to an environment, they may add roles to extend their control and maintain a foothold. The rule utilizes logs from Microsoft 365 to identify changes where a management role is assigned, specifically monitoring for events where the action 'New-ManagementRoleAssignment' occurs with a successful outcome. By flagging these events, security teams can investigate further to determine if the role assignment was authorized or if it represents a malicious attempt to gain persistent access. The rule includes guidance for investigation and potential response actions, emphasizing the need to confirm the legitimacy of the role changes, review associated user activities, and consult with IT for verification. False positives from legitimate administrative activities are acknowledged with recommended review practices.