An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.
This account modification may immediately follow Create Account or other malicious account activity.
Use multi-factor authentication for user and privileged accounts.
|M1026||Privileged Account Management||
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
|ID||Data Source||Data Component|
|DS0002||User Account||User Account Modification|
Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.