Elevating access to manage Azure subscriptions is a valuable tool for administrators, particularly when dealing with unknown or orphaned subscriptions. However, with no built-in restrictions on when or how long this access can be used, monitoring these events is critical to maintaining security and accountability.
Global administrators occasionally need to enable Elevated Access in Microsoft Entra to manage Azure subscriptions, but without proper oversight, this level of access can pose a significant security risk. Ensuring visibility and control over when, why, and by whom access is granted is essential for preventing misuse and maintaining compliance.
Fortunately, Microsoft provides multiple ways to monitor Elevated Access, and with the recent addition of these events to Microsoft Entra’s directory logs, tracking them has become even easier.
In this post, I’ll walk through the available monitoring options and how to configure them.
Table of Contents
What Is Elevated Access In Microsoft Entra?
Elevated Access allows a Global Administrator in Microsoft Entra to temporarily gain control over all Azure subscriptions within a tenant. This works by assigning them the User Access Administrator role at the root scope (/) in Azure.
The Azure Hierarchy – Where Elevated Access Fits
Azure follows a structured hierarchy:
Root (/) – The highest level of scope - This is where the Elevated Access super access fits
Root management group
Management group
Subscription
Resource group
Resource
Permissions in Azure are inherited, meaning that if a user is assigned a role at the management group level, that permission cascades down to all subscriptions and resources under it.
Microsoft Entra, which serves as the identity and directory service for the entire cloud environment, sits at the very top. But Elevated Access takes things even further, granting a Global Administrator the ability to assign any role, at any level, across all subscriptions.
For a better understanding of how these layers interact, take a look at the diagram below:
What Elevated Access Actually Lets You Do
Now, here’s the kicker: Elevated Access doesn’t immediately let an admin start modifying Azure resources. However, it does allow them to assign roles—including highly privileged ones like Owner—to themselves or others. And with the Owner role, well… that’s basically full control of everything.
This is why Elevated Access should never be left enabled indefinitely. It’s a powerful tool, but without monitoring, it can quickly turn into a security liability.
When Do You Need Microsoft Entra Elevated Access?
By now, you probably have a good idea of when this feature might be useful. But to make it crystal clear, here are some common real-world scenarios where Elevated Access is essential.
Access to user-created subscriptions
If users are allowed to create their own Azure subscriptions, admins aren’t automatically granted access. This can lead to visibility gaps where subscriptions exist, but IT has no control over them. Elevated Access allows admins to regain oversight and manage these subscriptions properly.
Break-glass for locked or orphaned subscriptions
If a user gets locked out of a subscription or the owner leaves the company, there may be no one left with the right permissions. Elevated Access restores control, allowing admins to reassign roles and ensure business continuity.
Managing root-level permissions
Some applications, such as my role assignment app, require permissions at the root management group level to function correctly. Elevated Access provides temporary access to configure these types of services without permanent role assignments.
Monitoring for shadow subscriptions
Since Elevated Access provides read permissions on all subscriptions, it helps detect shadow subscriptions—those created accidentally or maliciously. If an attacker or an employee with excessive privileges creates a hidden subscription, it could lead to security risks or unexpected costs. Elevated Access lets admins identify and shut these down before they become a problem.
One-time root-level admin configurations
Sometimes, a C-level executive requests a global administrator to create a new management group or make a one-time configuration change at the root level. If the admin doesn’t typically manage Azure, Elevated Access allows them to complete the task without requiring long-term permissions.
These are the most common scenarios, but as always, with great power comes great responsibility. Elevated Access should only be used when absolutely necessary and disabled immediately afterward to reduce risk.
How to Use Elevated Access in Microsoft Entra
Enabling Elevated Access is straightforward and can be done through the Microsoft Entra portal, the Azure portal, or the REST API. However, keep in mind that Elevated Access is a per-user setting, meaning it can only be enabled for the currently signed-in user—you can’t assign it to someone else.
Enabling Elevated Access
Option 1: Entra Portal
Sign in to the Microsoft Entra admin center.
Navigate to Identity > Properties.
Under Access management for Azure resources, toggle the setting to Yes.
Click Save.
Option 2: Azure Portal
Sign in to the Azure portal.
Search for Microsoft Entra ID using the search bar.
Navigate to Properties and follow the same steps as in the Entra portal.
This method works identically to the Entra portal, but some admins may find it more convenient within the Azure interface.
Option 3: Rest API
For those who prefer automation, Elevated Access can also be enabled via the Azure REST API using PowerShell, I've created the following script, which is also available on my GitHub,
Enable-ElevatedAccess Powershell script
This script grants the User Access Administrator role at the root (/) level for the currently authenticated user.
After enabling Elevated Access, refresh your token by signing out and back in, or restarting your browser.
Removing Elevated Access
Once you’re done, Elevated Access should be disabled immediately to minimize security risks. Fortunately, turning it off is just as easy as enabling it.
Disabling Elevated Access via Entra or Azure Portal
If you enabled Elevated Access through the Entra or Azure portal, follow the same steps as enabling it, but this time toggle Access management for Azure resources to No.
After doing so, you’ll see a warning message indicating that at least one user still has Elevated Access.
We’ll cover how to audit and remove lingering Elevated Access users later.
Disabling Elevated Access via REST API
Unlike the portal method, removing Elevated Access via REST API requires a bit more work:
1. List all active role assignments.
2. Filter out the specific role.
3. Remove the role for the user.
To make this easier, I’ve created a PowerShell script that automates the entire process. It works for both the current user and a specified user and is available on my GitHub.
Remove-ElevatedAccess Powershell script
Monitoring Elevated Access with Entra Audit Logs, Azure Activity Logs & Microsoft Sentinel
Now that we’ve covered what Elevated Access is, when to use it, and how to enable and remove it, it’s time to talk about monitoring. Visibility is critical when it comes to Elevated Access—after all, it grants broad permissions over your Azure environment.
Fortunately, Microsoft provides multiple ways to track Elevated Access events, making it easier to audit who enabled it, when, and why.
Elevated Access events are logged in two primary locations:
Microsoft Entra Audit Logs
Microsoft Azure Activity Logs
There’s also a new feature currently rolling out that provides a centralized way to monitor users with Elevated Access—let’s call it Entra Elevation Management.
Entra Elevation management is available both from Entra in the Properties blade where we had the option to enable the access, or from any IAM blade in Microsoft Azure:
Entra
Azure IAM
Upon opening the role assignments by clicking on Manage elevated access users or View role assignments respectively, you'll be met by the following fly-out menu allowing you to see users with the access as well as removing the access directly
This feature allows for a quick and easy way to manage access, especially useful for alleviating multiple elevated access permissions in an environment.
With that said, let's dive in to how we can monitor the access, ensuring we've got a handle on this superpower of an access!
Monitoring Elevated Access Via Azure Activity Logs - Step-By-Step
As an Azure admin, you're able to take a gander at the events via the Directory Activity log which, as mentioned above, is a log collection across the whole Azure environment regardless of the subscription you're currently monitoring, providing a quick overview.
To take advantage of these logs follow these steps:
Accessing the portal & subscription
Access the Azure portal and select Subscriptions. Alternatively search for Activity log in the search bar at the top of the screen
Navigating to the activity log
Choose any subscription and navigate to Activity log. To see the logs for the directory, choose the drop down menu showing Activity and choose Directory Activity.
Monitor the Elevated Access events
Here the logs for assigning and removing the elevated access God mode permissions.
In case you're not sure whether the log shows the Elevated Access permission, you can check the log JSON which will include the following lines at the tail end:
"properties": {
"requestbody": "{}",
"eventCategory": "Administrative",
"entity": "/providers/Microsoft.Authorization",
"message": "Microsoft.Authorization/elevateAccess/action",
"hierarchy": ""
}Here we can both see the hierarchy level that the permission is set at, as well as which action set the permission, being "Microsoft.Authorization/elevateAccess/action"
These logs aren't exportable as of writing this article (feb. 2025).
Monitoring Elevated Access Via Entra Audit Logs - Step-By-Step
While the Azure Directory Activity Logs provides a fine quick overview for an Azure admin, as an IAM admin, we'd usually want a bit more info, and a way to keep an eye on these sensitive events. Luckily we've got the Entra Audit logs to help us out.
These provide a more detailed log including IP, User agent and ObjectIDs, which we can also configure to be exported for managing via different solutions, such as a SIEM.
To take advantage of these logs follow these steps:
Accessing the Entra portal Audit logs
After signing in to the Entra portal, expand the menu to allow for access to the Monitoring & health menu. Alternatively search for Audit Logs via the search bar on top.
Navigate to and filtering the logs
Choose to open the Monitoring & health menu and access the Audit logs. For a better, and faster, overview you can filter the logs using the filter for Service and setting it to Azure RBAC (Elevated Access)
Monitor the elevation events
The elevation events are visible, both for assigning the role as well as removing it. The log entry provides greater detail, as mentioned earlier
As we're now able to monitor the events manually, let's configure the export to a Log Analytic Workspace and integrate it into Sentinel.
Monitoring Elevated Access With Microsoft Sentinel - Step-By-Step
In today’s increasingly complex IT environments, organizations generate vast amounts of logs around the clock. Manually reviewing these logs is not only overwhelming but also impractical. Fortunately, powerful security tools can help automate monitoring and enhance visibility.
Microsoft Sentinel is one such solution—it provides a centralized security platform to track Elevated Access events, ensuring a comprehensive view of your organization’s security posture. By leveraging Sentinel, you can proactively detect unauthorized access, mitigate risks, and maintain compliance more efficiently.
Follow these steps to configure Microsoft Sentinel for tracking Elevated Access Logs effectively:
Create a Log Analytics Workspace
In the Azure portal, search for and navigate to Log Analytics Workspace. Click Create to create a new Log Analytics Workspace.
Create a Microsoft Sentinel instance
Search for and navigate to Microsoft Sentinel. Click on Create to add Microsoft Sentinel to the newly created Log Analytics Workspace
Adding the Microsoft Entra Connector
In the newly created Microsoft Sentinel instance, navigate to the Connector menu and choose Content Hub
Search for Microsoft Entra and choose Install to add the connector
Configure exporting of Entra Audit logs
In the Entra portal in the Audit logs, choose Export Data Settings
Choose + Add diagnostic setting
Provide a name for the configuration, choose AuditLogs and under destination choose Send to Log Analytics Workspace
Create Microsoft Sentinel analytics rule
Back in the Microsoft Sentinel instance, navigate to Analytics, search for Azure RBAC (Elevate Access) and choose Create Rule
Modify the rule as needed, validate and save the rule.
The rule will be visible and modifiable in the Active rules page along your other active analytic rules.
Microsoft Sentinel will now collect the data as configured in the Analytics rule
With this configuration, the logs will be collected and retained in the Log Analytics Workspace for 30 days (default), and detected, correlated and grouped by Microsoft Sentinels Analytics rule depending on the configuration.
Final Thoughts: Keeping Elevated Access in Check
Elevated Access is a powerful but risky feature, allowing admins to regain control of subscriptions, manage permissions, and prevent security risks. However, without proper monitoring, it can become a security blind spot.
With the new Entra directory log integration, tracking Elevated Access is easier than ever. Combining Azure Activity Logs, Entra Audit Logs, and Microsoft Sentinel provides a layered approach to monitoring—ensuring visibility, compliance, and security.
Final Thoughts:
Use Elevated Access sparingly. Grant it only when necessary and remove it immediately afterward.
Monitor everything. Use audit logs, activity logs, and Sentinel to track who, when, and why access was granted.
Stay proactive. Implement alerts and automation to reduce risk and detect unauthorized access quickly.
And now, as always, another bad joke to lighten your mood!
Why was the computer cold?
It left its Windows open! 😎
Want to level up your Microsoft security game? Stay tuned for my next post—because securing your cloud is a journey, not a destination! 🌍🔐