This detection rule is designed to identify when a user is added to an administrative role within Azure Active Directory (Azure AD). The rule focuses on the operation of adding a member to a role, specifically when the modified properties indicate that the new value pertains to an administrator role. This indicates potential privilege escalation, which is a common tactic used by attackers to gain higher levels of access within an organization. The presence of such events in the activity logs could signify either legitimate administrative actions or misconfigurations/attacks aimed at compromising account privileges. The rule prioritizes Azure activity logs as the data source and provides useful tags that align it with MITRE ATT&CK techniques related to persistence and privilege escalation.