Command & Control
Azure AD New Partner Added to Organization
Detection overview
The “Azure AD New Partner Added to Organization” detection alerts security teams to the addition of a new partner entity in Azure Active Directory with administrative privileges. This event is notable as it indicates that a third-party entity now has the ability to manage, configure, or support Azure services on behalf of the organization, which could lead to environment compromise if done maliciously.
Triggers
- A new Partner entity is added to the environment with the ability to manage, configure, and support Azure services on the organization’s behalf.
Possible Root Causes
- Partner is added to the organization maliciously, by exploiting an internal admin account.
- Partner is added to the organization with legitimate intent and following a valid request by the management.
Business Impact
- Adding a partner entity to the organization gives that partner the ability to fully manage the environment. These privileges can be abused for complete environment compromise.
Steps to Verify
- Determine if the request to add a partner to the organization was a legitimate action. If not, delete the partner entity and investigate further.
Azure AD New Partner Added to Organization
Possible root causes
Malicious Detection
An attacker with access to an internal admin account may add a partner entity to establish unauthorized control over the organization’s resources. This could enable persistent control and future malicious actions, allowing the attacker to access and manipulate sensitive systems, configurations, or data.
Benign Detection
The addition of a new partner entity may be part of a legitimate partnership or support arrangement. In these cases, the organization’s management may have authorized a trusted partner to perform tasks or maintenance, such as IT support or Azure service management.
Azure AD New Partner Added to Organization
Example scenarios
1. Unauthorized Partner Entity for Persistent Access
An attacker gains control of an internal admin account and uses it to add a partner entity. This allows them to maintain access even if the admin account is revoked.
2. Legitimate IT Support Partner Added
The organization adds a third-party IT service provider as a partner to perform maintenance on Azure AD configurations. This legitimate addition is verified and documented to prevent misuse.
Azure AD New Partner Added to Organization
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Potential Environment Compromise
A partner with full administrative rights can access and modify all aspects of the environment, presenting a serious risk if unauthorized.
Risk of Data and Service Manipulation
The new partner may have the ability to alter configurations or access sensitive data, impacting operational integrity and data privacy.
Compliance Concerns
Unauthorized addition of a partner could breach compliance policies, leading to regulatory exposure if sensitive data is accessed or misused.
Azure AD New Partner Added to Organization
Steps to investigate
Confirm Legitimacy of Partner Addition
Verify that the new partner entity addition aligns with management’s authorization and is part of a legitimate business relationship.
Review Permissions Assigned
Ensure that the permissions granted to the partner entity align with intended responsibilities and do not exceed necessary access levels.
Analyze Recent Admin Account Activity
Review the logs for any recent administrative actions that may suggest the addition was unauthorized or part of a larger compromise.
Monitor for Suspicious Follow-up Actions
Continue to track the new partner entity’s activity to identify any access or changes to sensitive resources that may indicate malicious intent.
Azure AD New Partner Added to Organization
Related detections
FAQs
Why would adding a partner entity be considered suspicious?
The addition of a partner entity grants significant permissions, which can be exploited if the entity was added without proper authorization.
How can this detection indicate an attack?
Attackers may use this method to create a lasting access point, leveraging partner permissions for continued control over an environment.
Can legitimate IT tasks trigger this detection?
Yes, legitimate partners may be added for IT support or service management, but such actions should always follow documented authorization protocols.
What is the first step in investigating this detection?
Confirm with management if the partner addition was requested and authorized, then verify assigned permissions.
What potential data risks come with unauthorized partner access?
An unauthorized partner can access and manipulate sensitive data, leading to data leaks, loss of integrity, and potential exposure of confidential information.
Could this detection impact compliance?
Unauthorized additions could breach data access policies, leading to compliance violations if regulatory data is accessed improperly.
Is the detection always malicious?
Not necessarily; benign actions can also trigger this detection, particularly when adding new IT partners or service providers.
What permissions are commonly associated with new partners?
Partners often receive broad permissions to support and manage services, which can include data access, configuration controls, and administrative tasks.
How does this detection protect against insider threats?
By alerting to unexpected partner additions, it helps prevent insiders from adding unauthorized external entities with excessive access.
Are there other related detections for external threats?
Yes, detections such as Azure AD Suspicious OAuth Application and Cross Tenant Access Change can also identify external or cross-tenant risks.