This detection rule identifies when a user is assigned a built-in administrator role within Azure Role-Based Access Control (RBAC). These assignments can present significant security risks, including potential privilege escalation, lateral movement, and persistence by attackers. The rule monitors specific privileged roles such as Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role-Based Access Control Administrator. By tracking these events, organizations can mitigate risks associated with unauthorized privilege assignments and enhance their overall security posture. The rule generates alerts when relevant actions are logged in Azure activity logs, prompting investigation into the circumstances surrounding the assignment, user behavior, and potential unauthorized access. Responses vary depending on the legitimacy of the activity, encompassing immediate role revocation, account lockdown, and enhanced security measures like Multi-Factor Authentication (MFA).