Entra ID group adds in the last 7 days

Hunt Hypothesis

Adversaries may be creating Entra ID groups to establish access and control over cloud resources within the last 7 days. SOC teams should proactively hunt for this behavior to identify potential lateral movement or privilege escalation tactics leveraging group membership in Azure Sentinel.

KQL Query

let LookBack = 7d; CloudAppEvents | where ActionType in ("Add member to group.") and AccountType == "Regular" and Timestamp > ago(LookBack) | extend SecondElement = RawEventData.ModifiedProperties[1] | extend UserAddedId = RawEventData.ObjectId | extend GroupName = SecondElement.NewValue | project Timestamp, ActionType,UserAddedId,PerformedBy = AccountDisplayName,GroupName

Analytic Rule Definition

id: f5e4d3c2-b1a0-4f9d-8e7c-6b5a4d3e2c1f
name: Entra ID group adds in the last 7 days
description: |
  This query looks for Entra ID group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors: 
  - connectorId: MicrosoftThreatProtection
    dataTypes: 
      - CloudAppEvents
tactics: 
- Privilege Escalation
relevantTechniques:
- T1548
query: >
  let LookBack = 7d;
  CloudAppEvents
  | where ActionType in ("Add member to group.") and AccountType == "Regular" and Timestamp > ago(LookBack)
  | extend SecondElement = RawEventData.ModifiedProperties[1]
  | extend UserAddedId = RawEventData.ObjectId
  | extend GroupName = SecondElement.NewValue
  | project Timestamp, ActionType,UserAddedId,PerformedBy = AccountDisplayName,GroupName
entityMappings: 
  - entityType: Account
    fieldMappings: 
      - identifier: DisplayName
        columnName: UserAddedId
      - identifier: DisplayName
        columnName: PerformedBy
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Privilege Escalation
Technique: T1548 — T1548

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml)

False Positive Guidance

Scenario: Scheduled group membership sync from Azure AD Connect
Description: Azure AD Connect synchronizes group memberships from on-premises Active Directory to Azure AD, which can result in new group additions in Entra ID.
Filter/Exclusion: Exclude events where the operationType is Sync and the sourceSystem is Azure AD Connect.
Scenario: Automated user provisioning via Azure AD B2C
Description: Azure AD B2C may create groups as part of user provisioning workflows, especially during sign-up or identity provider configuration.
Filter/Exclusion: Exclude events where the sourceSystem is Azure AD B2C and the operationType is Provisioning.
Scenario: Group creation via PowerShell or Azure CLI
Description: Administrators may use PowerShell (New-AzureADGroup) or Azure CLI to create groups, which can be flagged as “group adds.”
Filter/Exclusion: Exclude events where the sourceSystem is PowerShell or Azure CLI and the operationType is Create.
Scenario: Group membership changes via Microsoft 365 Admin Center
Description: When administrators manually add users to groups via the Microsoft 365 Admin Center, it can trigger the detection rule.
Filter/Exclusion: Exclude events where the sourceSystem is Microsoft 365 Admin Center and the operationType is Manual.
Scenario: Group creation via third-party identity management tool (e.g., Okta, Ping Identity)
Description: Some identity management tools may create Entra ID groups as part of their integration or configuration processes.
Filter/Exclusion: Exclude events where the sourceSystem is Okta or Ping Identity and the operationType is