This detection rule identifies scenarios where a service principal in Azure Active Directory (Azure AD) assigns app roles without obtaining the necessary admin consent. Utilizing the Entra ID logs from the `azure_monitor_aad` data source, this rule monitors the operation 'Add app role assignment to service principal' to flag instances of potential privilege escalations. Unauthorized permissions granted by such activities can severely compromise the integrity and security framework of an Azure AD environment, enabling attackers to leverage these elevated privileges for malicious purposes. The search query parses relevant log entries, extracting critical information such as the service principal performing the operation, the user affected, and details of the roles being assigned. The rule emphasizes auditing and alerting to maintain oversight over service principals, which are often susceptible to exploitation, particularly when the standard administrative consent processes are bypassed.