Detects when an Azure Entra ID (formerly Azure AD) user account is converted from Guest to Member via an Update user operation in Entra ID Audit Logs. This Guest-to-Member conversion grants full directory read access, removes external-identity restrictions, and makes the account indistinguishable from an internal employee, enabling persistent tenant access without triggering typical role-assignment alerts. The rule targets Update user events where the modified property UserType changes from Guest to Member, and only on successful operations. Attackers who compromise a Guest account and promote it to Member gain elevated, long-term access; this is mapped to a Persistence technique (MITRE T1098) and presents a notable risk even if historic activity appears legitimate. The detection is anchored in azure.auditlogs (and related signin logs) and relies on the transition being initiated by an actor with appropriate permissions. The rule’s references highlight Entra ID user properties and conversion of external users to internal users.