Home
ATT&CK Techniques
T1098.003 Add Office 365 Global Administrator Role

T1098.003 Add Office 365 Global Administrator Role Mappings

An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles)

This account modification may immediately follow Create Account or other malicious account activity.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-20	Use of External Systems	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-3	Access Enforcement	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-5	Separation of Duties	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-6	Least Privilege	Protects	T1098.003	Add Office 365 Global Administrator Role
CM-5	Access Restrictions for Change	Protects	T1098.003	Add Office 365 Global Administrator Role
CM-6	Configuration Settings	Protects	T1098.003	Add Office 365 Global Administrator Role
IA-2	Identification and Authentication (organizational Users)	Protects	T1098.003	Add Office 365 Global Administrator Role
IA-5	Authenticator Management	Protects	T1098.003	Add Office 365 Global Administrator Role
SI-4	System Monitoring	Protects	T1098.003	Add Office 365 Global Administrator Role
SI-7	Software, Firmware, and Information Integrity	Protects	T1098.003	Add Office 365 Global Administrator Role

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
role_based_access_control	Role Based Access Control	technique_scores	T1098.003	Add Office 365 Global Administrator Role	Comments This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts. References
azure_ad_privileged_identity_management	Azure AD Privileged Identity Management	technique_scores	T1098.003	Add Office 365 Global Administrator Role	Comments This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user. References
azure_ad_privileged_identity_management	Azure AD Privileged Identity Management	technique_scores	T1098.003	Add Office 365 Global Administrator Role	Comments This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal. References
cloud_app_security_policies	Cloud App Security Policies	technique_scores	T1098.003	Add Office 365 Global Administrator Role	Comments This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". References