Home
ATT&CK Techniques
T1098.003 Add Office 365 Global Administrator Role

T1098.003 Add Office 365 Global Administrator Role Mappings

An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles)

This account modification may immediately follow Create Account or other malicious account activity.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-20	Use of External Systems	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-3	Access Enforcement	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-5	Separation of Duties	Protects	T1098.003	Add Office 365 Global Administrator Role
AC-6	Least Privilege	Protects	T1098.003	Add Office 365 Global Administrator Role
CM-5	Access Restrictions for Change	Protects	T1098.003	Add Office 365 Global Administrator Role
CM-6	Configuration Settings	Protects	T1098.003	Add Office 365 Global Administrator Role
IA-2	Identification and Authentication (organizational Users)	Protects	T1098.003	Add Office 365 Global Administrator Role
IA-5	Authenticator Management	Protects	T1098.003	Add Office 365 Global Administrator Role
SI-4	System Monitoring	Protects	T1098.003	Add Office 365 Global Administrator Role
SI-7	Software, Firmware, and Information Integrity	Protects	T1098.003	Add Office 365 Global Administrator Role
attribute.integrity.variety.Modify privileges	Modified privileges or permissions	related-to	T1098.003	Account Manipulation: Add Office 365 Global Administrator Role