This detection rule analyzes Azure Active Directory (AAD) events to identify when a user is assigned the Global Administrator role, which grants extensive permissions across Azure resources. It utilizes Azure AAD AuditLogs to track the "Add member to role" operation specifically for the Global Administrator role. Given the sensitive nature of this role, unauthorized assignment can indicate potential security threats such as privilege escalation or unauthorized administrative access. The rule is critical for monitoring changes to user roles within AAD and is essential for maintaining compliance and security within Azure environments by alerting on risky role assignments.