Unlocking Microsoft Entra’s Elevated Access Logs: Better Security, Better Insights

Sebastian F. Markdanner
Feb 18
13 min read

Elevating access to manage Azure subscriptions is a valuable tool for administrators, particularly when dealing with unknown or orphaned subscriptions. However, with no built-in restrictions on when or how long this access can be used, monitoring these events is critical to maintaining security and accountability.

Futuristic lock icon on a circuit board, with glowing effects. Text: Unlocking Microsoft’s Elevated Access Logs: Better Security, Better Insights.

Global administrators occasionally need to enable Elevated Access in Microsoft Entra to manage Azure subscriptions, but without proper oversight, this level of access can pose a significant security risk. Ensuring visibility and control over when, why, and by whom access is granted is essential for preventing misuse and maintaining compliance.

Fortunately, Microsoft provides multiple ways to monitor Elevated Access, and with the recent addition of these events to Microsoft Entra’s directory logs, tracking them has become even easier.

In this post, I’ll walk through the available monitoring options and how to configure them.

What Is Elevated Access In Microsoft Entra?
- The Azure Hierarchy – Where Elevated Access Fits
- What Elevated Access Actually Lets You Do
When Do You Need Microsoft Entra Elevated Access?
How to Use Elevated Access in Microsoft Entra
- Enabling Elevated Access
- Removing Elevated Access
  - Disabling Elevated Access via Entra or Azure Portal
  - Disabling Elevated Access via REST API
    - Remove-ElevatedAccess Powershell script
Monitoring Elevated Access with Entra Audit Logs, Azure Activity Logs & Microsoft Sentinel
Final Thoughts: Keeping Elevated Access in Check

What Is Elevated Access In Microsoft Entra?

Elevated Access allows a Global Administrator in Microsoft Entra to temporarily gain control over all Azure subscriptions within a tenant. This works by assigning them the User Access Administrator role at the root scope (/) in Azure.

The Azure Hierarchy – Where Elevated Access Fits

Azure follows a structured hierarchy:

Root (/) – The highest level of scope - This is where the Elevated Access super access fits
Root management group
Management group
Subscription
Resource group
Resource

Permissions in Azure are inherited, meaning that if a user is assigned a role at the management group level, that permission cascades down to all subscriptions and resources under it.

Microsoft Entra, which serves as the identity and directory service for the entire cloud environment, sits at the very top. But Elevated Access takes things even further, granting a Global Administrator the ability to assign any role, at any level, across all subscriptions.

For a better understanding of how these layers interact, take a look at the diagram below:

Diagram showing Microsoft Entra tenant hierarchy with roles, root management group, management group, subscription, and resource group.

Source: Microsoft Learn: Elevate access to manage all Azure subscriptions and management groups

What Elevated Access Actually Lets You Do

Now, here’s the kicker: Elevated Access doesn’t immediately let an admin start modifying Azure resources. However, it does allow them to assign roles—including highly privileged ones like Owner—to themselves or others. And with the Owner role, well… that’s basically full control of everything.

This is why Elevated Access should never be left enabled indefinitely. It’s a powerful tool, but without monitoring, it can quickly turn into a security liability.

When Do You Need Microsoft Entra Elevated Access?

By now, you probably have a good idea of when this feature might be useful. But to make it crystal clear, here are some common real-world scenarios where Elevated Access is essential.

Access to user-created subscriptions

If users are allowed to create their own Azure subscriptions, admins aren’t automatically granted access. This can lead to visibility gaps where subscriptions exist, but IT has no control over them. Elevated Access allows admins to regain oversight and manage these subscriptions properly.

Break-glass for locked or orphaned subscriptions

If a user gets locked out of a subscription or the owner leaves the company, there may be no one left with the right permissions. Elevated Access restores control, allowing admins to reassign roles and ensure business continuity.

Managing root-level permissions

Some applications, such as my role assignment app, require permissions at the root management group level to function correctly. Elevated Access provides temporary access to configure these types of services without permanent role assignments.

Monitoring for shadow subscriptions

Since Elevated Access provides read permissions on all subscriptions, it helps detect shadow subscriptions—those created accidentally or maliciously. If an attacker or an employee with excessive privileges creates a hidden subscription, it could lead to security risks or unexpected costs. Elevated Access lets admins identify and shut these down before they become a problem.

One-time root-level admin configurations

Sometimes, a C-level executive requests a global administrator to create a new management group or make a one-time configuration change at the root level. If the admin doesn’t typically manage Azure, Elevated Access allows them to complete the task without requiring long-term permissions.

These are the most common scenarios, but as always, with great power comes great responsibility. Elevated Access should only be used when absolutely necessary and disabled immediately afterward to reduce risk.

How to Use Elevated Access in Microsoft Entra

Enabling Elevated Access is straightforward and can be done through the Microsoft Entra portal, the Azure portal, or the REST API. However, keep in mind that Elevated Access is a per-user setting, meaning it can only be enabled for the currently signed-in user—you can’t assign it to someone else.

Enabling Elevated Access

Option 1: Entra Portal

Sign in to the Microsoft Entra admin center.
Navigate to Identity > Properties.
Under Access management for Azure resources, toggle the setting to Yes.
Click Save.

Admin center interface showing Contoso tenant properties. Settings include name, region, and contact info. Sidebar highlights 'Overview'.

Option 2: Azure Portal

Sign in to the Azure portal.
Search for Microsoft Entra ID using the search bar.
Navigate to Properties and follow the same steps as in the Entra portal.

Microsoft Azure Contoso Overview page. Side menu highlights Properties. A search dropdown shows "Microsoft Entra ID" under Recent services.

This method works identically to the Entra portal, but some admins may find it more convenient within the Azure interface.

Option 3: Rest API

For those who prefer automation, Elevated Access can also be enabled via the Azure REST API using PowerShell, I've created the following script, which is also available on my GitHub,

Enable-ElevatedAccess Powershell script

<#
.SYNOPSIS
    Enables Microsoft Entra Elevated Access (User Access Administrator role) for the currently authenticated user.

.DESCRIPTION
    This script automates the process of enabling Elevated Access in Entra by calling the elevateAccess
    REST API endpoint. When successful, it grants the User Access Administrator role at the root scope ("/")
    to the currently authenticated user. This elevated access should be removed after use for security best practices.

.EXAMPLE
    .\Enable-ElevatedAccess.ps1
    Enables elevated access for the currently authenticated user.

.NOTES
    Author: Sebastian Flæng Markdanner
    Website: https://chanceofsecurity.com
    Version: 1.1
    Last Updated: 2025-02-16
    
    Requirements:
    - Azure PowerShell Module (Az)
    - User must be an Entra ID Global Administrator
#>

# Step 1: Ensure required modules are installed
if (-not (Get-Module -ListAvailable -Name Az.Accounts)) {
    Write-Host "📦 Installing Az PowerShell module..." -ForegroundColor Yellow
    Install-Module -Name Az -Scope CurrentUser -Force -AllowClobber
}

# Step 2: Verify/establish Azure connection
if (-not (Get-AzContext)) {
    Write-Host "🔑 No active Azure session found. Initiating login..." -ForegroundColor Yellow
    Connect-AzAccount
}

# Step 3: Define API configuration
$apiVersion = "2016-07-01"
$managementApiUrl = "https://management.azure.com"
$apiUrl = "$managementApiUrl/providers/Microsoft.Authorization/elevateAccess?api-version=$apiVersion"

# Step 4: Obtain authentication token
Write-Host "🔒 Retrieving authentication token..." -ForegroundColor Yellow
$accessToken = (Get-AzAccessToken -ResourceUrl $managementApiUrl).Token

# Step 5: Prepare request headers
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type"  = "application/json"
}

# Step 6: Enable elevated access
Write-Host "⚡ Enabling elevated access..." -ForegroundColor Yellow
try {
    $response = Invoke-RestMethod -Uri $apiUrl -Method Post -Headers $headers
    Write-Host "✅ Elevated access successfully enabled!" -ForegroundColor Green
    Write-Host "   You now have User Access Administrator rights at the root scope." -ForegroundColor Green
    Write-Host "   ⚠️ Remember to remove elevated access when no longer needed!" -ForegroundColor Yellow
    
    # Display response for verification
    $response
}
catch {
    Write-Host "❌ Failed to elevate access: $_" -ForegroundColor Red
    Write-Host "   Common causes:" -ForegroundColor Yellow
    Write-Host "   - User is not an active Entra ID Global Administrator" -ForegroundColor Yellow
    Write-Host "   - Network connectivity issues" -ForegroundColor Yellow
}

This script grants the User Access Administrator role at the root (/) level for the currently authenticated user.

After enabling Elevated Access, refresh your token by signing out and back in, or restarting your browser.

Removing Elevated Access

Once you’re done, Elevated Access should be disabled immediately to minimize security risks. Fortunately, turning it off is just as easy as enabling it.

Disabling Elevated Access via Entra or Azure Portal

If you enabled Elevated Access through the Entra or Azure portal, follow the same steps as enabling it, but this time toggle Access management for Azure resources to No.

After doing so, you’ll see a warning message indicating that at least one user still has Elevated Access.

Microsoft Etra admin center interface showing tenant properties for Contoso. A warning about elevated access is highlighted in red.

We’ll cover how to audit and remove lingering Elevated Access users later.

Disabling Elevated Access via REST API

Unlike the portal method, removing Elevated Access via REST API requires a bit more work:

1. List all active role assignments.

2. Filter out the specific role.

3. Remove the role for the user.

To make this easier, I’ve created a PowerShell script that automates the entire process. It works for both the current user and a specified user and is available on my GitHub.

Remove-ElevatedAccess Powershell script

<#
.SYNOPSIS
    Removes Microsoft Entra Elevated Access (User Access Administrator role) from a specified user or the current user.

.DESCRIPTION
    This script automates the removal of Elevated Access in Entra by removing the User Access Administrator
    role assignment at the root scope ("/"). It uses Azure REST APIs to handle the role management operations.
    
    The script includes a confirmation prompt before removing access, which can be bypassed using the -Force parameter.
    All operations are timestamped for better tracking and auditing.

.PARAMETER UserId
    Optional. The Object ID of the user whose elevated access should be removed.
    If not provided, the script will use the currently authenticated user's ID.
    The script automatically converts User Principal Names (email addresses) to Object IDs.

.PARAMETER Force
    Optional. Switch parameter to bypass the confirmation prompt.

.EXAMPLE
    .\Remove-ElevatedAccess.ps1
    Removes elevated access for the currently authenticated user after confirmation.

.EXAMPLE
    .\Remove-ElevatedAccess.ps1 -UserId "12345678-1234-1234-1234-123456789012"
    Removes elevated access for the specified user ID after confirmation.

.EXAMPLE
    .\Remove-ElevatedAccess.ps1 -UserId "user@domain.com"
    Removes elevated access for the specified user (automatically converts email to Object ID) after confirmation.

.EXAMPLE
    .\Remove-ElevatedAccess.ps1 -Force
    Removes elevated access for the current user without confirmation prompt.

.NOTES
    Author: Sebastian Flæng Markdanner
    Website: https://chanceofsecurity.com
    Version: 1.1
    Last Updated: 2025-02-16
    
    Requirements:
    - Azure PowerShell Module (Az)
    - Active Entra ID Global Administrator Role
#>

[CmdletBinding()]
param(
    [string]$UserId,    # User Object ID for whom to remove elevated access
    [switch]$Force      # Skip confirmation prompt
)

# Add timestamp function
function Get-Timestamp {
    return "[{0:yyyy-MM-dd HH:mm:ss}]" -f (Get-Date)
}

# Ensure Az module is installed
if (-not (Get-Module -ListAvailable -Name Az.Accounts)) {
    Write-Host "📦 Installing Az PowerShell module..." -ForegroundColor Yellow
    Install-Module -Name Az -Scope CurrentUser -Force -AllowClobber
}

# Connect to Azure (if not already authenticated)
if (-not (Get-AzContext)) {
    Write-Host "🔑 No active Azure session found. Initiating login..." -ForegroundColor Yellow
    Connect-AzAccount
}

# Define API URLs and versions
$managementApi = "https://management.azure.com"
$apiVersion = "2022-04-01"
$roleDefinitionApi = "$managementApi/providers/Microsoft.Authorization/roleDefinitions?api-version=$apiVersion&`$filter=roleName+eq+'User Access Administrator'"

# Get access token for Azure Management API
$accessTokenARM = (Get-AzAccessToken -ResourceUrl $managementApi).Token

# Set request headers for Azure ARM API calls
$headersARM = @{
    "Authorization" = "Bearer $accessTokenARM"
    "Content-Type"  = "application/json"
}

# Step 1: Get User Access Administrator Role Definition ID
Write-Host "🔍 Retrieving User Access Administrator role definition..." -ForegroundColor Yellow
$roleResponse = Invoke-RestMethod -Uri $roleDefinitionApi -Method Get -Headers $headersARM
$roleDefinitionId = $roleResponse.value[0].id

if (-not $roleDefinitionId) {
    Write-Host "❌ Failed to retrieve User Access Administrator Role Definition ID." -ForegroundColor Red
    Write-Host "   Please ensure you have sufficient permissions to view role definitions." -ForegroundColor Red
    exit
}

Write-Host "✅ Retrieved User Access Administrator Role ID: $roleDefinitionId" -ForegroundColor Green

# Step 2: Determine the User Object ID
if (-not $UserId) {
    Write-Host "👤 No User ID provided, using currently authenticated user..." -ForegroundColor Yellow
    $currentUser = (Get-AzContext).Account.Id
    
    # Convert UPN to Object ID if the current user is identified by email/UPN
    if ($currentUser -notmatch '^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') {
        Write-Host "🔄 Converting user principal name to Object ID..." -ForegroundColor Yellow
        try {
            $UserId = (Get-AzADUser -UserPrincipalName $currentUser).Id
            if (-not $UserId) {
                throw "Unable to find Object ID for user $currentUser"
            }
        }
        catch {
            Write-Host "❌ Failed to retrieve Object ID for user $currentUser" -ForegroundColor Red
            Write-Host "   Error: $_" -ForegroundColor Red
            exit
        }
    }
    else {
        $UserId = $currentUser
    }
}

if (-not $UserId) {
    Write-Host "❌ Failed to retrieve the user's Object ID. Please provide one manually using the -UserId parameter." -ForegroundColor Red
    exit
}

Write-Host "🔍 Using User Object ID: $UserId" -ForegroundColor Yellow

# Step 3: Get Role Assignments for User at Root Scope using ARM API
Write-Host "🔍 Searching for elevated access role assignments..." -ForegroundColor Yellow
$roleAssignmentsApi = "$managementApi/providers/Microsoft.Authorization/roleAssignments?api-version=$apiVersion&`$filter=principalId+eq+'$UserId'"
$roleAssignmentsResponse = Invoke-RestMethod -Uri $roleAssignmentsApi -Method Get -Headers $headersARM

# Find role assignment for User Access Administrator at "/" scope
$roleAssignment = $roleAssignmentsResponse.value | Where-Object {
    $_.properties.roleDefinitionId -eq $roleDefinitionId -and $_.properties.scope -eq "/"
}

if (-not $roleAssignment) {
    Write-Host "❌ No elevated access role assignments found for removal." -ForegroundColor Red
    Write-Host "   The user either doesn't have elevated access or it was already removed." -ForegroundColor Yellow
    exit
}

$roleAssignmentId = $roleAssignment.name

Write-Host "✅ Found Elevated Access Role Assignment ID: $roleAssignmentId" -ForegroundColor Green

# Step 4: Remove Elevated Access
$removeRoleApi = "$managementApi/providers/Microsoft.Authorization/roleAssignments/$($roleAssignmentId)?api-version=$apiVersion"

Write-Host "🔗 Attempting to remove Elevated Access using URL: $removeRoleApi" -ForegroundColor Cyan

# Add confirmation unless -Force is used
if (-not $Force) {
    $confirmation = Read-Host "Are you sure you want to remove Elevated Access for user $UserId? (Y/N)"
    if ($confirmation -ne 'Y') {
        Write-Host "Operation cancelled by user." -ForegroundColor Yellow
        exit
    }
}

try {
    Invoke-RestMethod -Uri $removeRoleApi -Method Delete -Headers $headersARM | Out-Null
    Write-Host "✅ $(Get-Timestamp) Successfully removed Elevated Access for user: $UserId" -ForegroundColor Green
    Write-Host "   The user no longer has User Access Administrator privileges at the root scope." -ForegroundColor Green
} catch {
    Write-Host "❌ $(Get-Timestamp) Failed to remove Elevated Access for user: $UserId" -ForegroundColor Red
    Write-Host "   Error: $_" -ForegroundColor Red
    Write-Host "   Please ensure you have sufficient permissions to remove role assignments." -ForegroundColor Red
}

Monitoring Elevated Access with Entra Audit Logs, Azure Activity Logs & Microsoft Sentinel

Now that we’ve covered what Elevated Access is, when to use it, and how to enable and remove it, it’s time to talk about monitoring. Visibility is critical when it comes to Elevated Access—after all, it grants broad permissions over your Azure environment.

Fortunately, Microsoft provides multiple ways to track Elevated Access events, making it easier to audit who enabled it, when, and why.

Elevated Access events are logged in two primary locations:

Microsoft Entra Audit Logs
Microsoft Azure Activity Logs

There’s also a new feature currently rolling out that provides a centralized way to monitor users with Elevated Access—let’s call it Entra Elevation Management.

Entra Elevation management is available both from Entra in the Properties blade where we had the option to enable the access, or from any IAM blade in Microsoft Azure:

Entra

Azure IAM

Azure Access Control page showing a warning for elevated access. Features buttons for checking and granting access, and roles overview.

Upon opening the role assignments by clicking on Manage elevated access users or View role assignments respectively, you'll be met by the following fly-out menu allowing you to see users with the access as well as removing the access directly

Interface shows "Users with elevated access" list. Two users with roles as User Access Administrator at root level. Search bar visible.

This feature allows for a quick and easy way to manage access, especially useful for alleviating multiple elevated access permissions in an environment.

With that said, let's dive in to how we can monitor the access, ensuring we've got a handle on this superpower of an access!

Monitoring Elevated Access Via Azure Activity Logs - Step-By-Step

As an Azure admin, you're able to take a gander at the events via the Directory Activity log which, as mentioned above, is a log collection across the whole Azure environment regardless of the subscription you're currently monitoring, providing a quick overview.

To take advantage of these logs follow these steps:

Accessing the portal & subscription
Access the Azure portal and select Subscriptions. Alternatively search for Activity log in the search bar at the top of the screen

Navigating to the activity log
Choose any subscription and navigate to Activity log. To see the logs for the directory, choose the drop down menu showing Activity and choose Directory Activity.

Monitor the Elevated Access events
Here the logs for assigning and removing the elevated access God mode permissions.

In case you're not sure whether the log shows the Elevated Access permission, you can check the log JSON which will include the following lines at the tail end:

    "properties": {
        "requestbody": "{}",
        "eventCategory": "Administrative",
        "entity": "/providers/Microsoft.Authorization",
        "message": "Microsoft.Authorization/elevateAccess/action",
        "hierarchy": ""
    }

Here we can both see the hierarchy level that the permission is set at, as well as which action set the permission, being "Microsoft.Authorization/elevateAccess/action"

These logs aren't exportable as of writing this article (feb. 2025).

Monitoring Elevated Access Via Entra Audit Logs - Step-By-Step

While the Azure Directory Activity Logs provides a fine quick overview for an Azure admin, as an IAM admin, we'd usually want a bit more info, and a way to keep an eye on these sensitive events. Luckily we've got the Entra Audit logs to help us out.

These provide a more detailed log including IP, User agent and ObjectIDs, which we can also configure to be exported for managing via different solutions, such as a SIEM.

To take advantage of these logs follow these steps:

Accessing the Entra portal Audit logs
After signing in to the Entra portal, expand the menu to allow for access to the Monitoring & health menu. Alternatively search for Audit Logs via the search bar on top.

Navigate to and filtering the logs
Choose to open the Monitoring & health menu and access the Audit logs. For a better, and faster, overview you can filter the logs using the filter for Service and setting it to Azure RBAC (Elevated Access)

Monitor the elevation events
The elevation events are visible, both for assigning the role as well as removing it. The log entry provides greater detail, as mentioned earlier

As we're now able to monitor the events manually, let's configure the export to a Log Analytic Workspace and integrate it into Sentinel.

Monitoring Elevated Access With Microsoft Sentinel - Step-By-Step

In today’s increasingly complex IT environments, organizations generate vast amounts of logs around the clock. Manually reviewing these logs is not only overwhelming but also impractical. Fortunately, powerful security tools can help automate monitoring and enhance visibility.

Microsoft Sentinel is one such solution—it provides a centralized security platform to track Elevated Access events, ensuring a comprehensive view of your organization’s security posture. By leveraging Sentinel, you can proactively detect unauthorized access, mitigate risks, and maintain compliance more efficiently.

Follow these steps to configure Microsoft Sentinel for tracking Elevated Access Logs effectively:

Create a Log Analytics Workspace
In the Azure portal, search for and navigate to Log Analytics Workspace. Click Create to create a new Log Analytics Workspace.
Create a Microsoft Sentinel instance
Search for and navigate to Microsoft Sentinel. Click on Create to add Microsoft Sentinel to the newly created Log Analytics Workspace
Adding the Microsoft Entra Connector
1. In the newly created Microsoft Sentinel instance, navigate to the Connector menu and choose Content Hub
2. Search for Microsoft Entra and choose Install to add the connector
Configure exporting of Entra Audit logs
1. In the Entra portal in the Audit logs, choose Export Data Settings
2. Choose + Add diagnostic setting
3. Provide a name for the configuration, choose AuditLogs and under destination choose Send to Log Analytics Workspace
Create Microsoft Sentinel analytics rule
1. Back in the Microsoft Sentinel instance, navigate to Analytics, search for Azure RBAC (Elevate Access) and choose Create Rule
2. Modify the rule as needed, validate and save the rule.
3. The rule will be visible and modifiable in the Active rules page along your other active analytic rules.
4. Microsoft Sentinel will now collect the data as configured in the Analytics rule

With this configuration, the logs will be collected and retained in the Log Analytics Workspace for 30 days (default), and detected, correlated and grouped by Microsoft Sentinels Analytics rule depending on the configuration.

Final Thoughts: Keeping Elevated Access in Check

Elevated Access is a powerful but risky feature, allowing admins to regain control of subscriptions, manage permissions, and prevent security risks. However, without proper monitoring, it can become a security blind spot.

With the new Entra directory log integration, tracking Elevated Access is easier than ever. Combining Azure Activity Logs, Entra Audit Logs, and Microsoft Sentinel provides a layered approach to monitoring—ensuring visibility, compliance, and security.

Final Thoughts:

Use Elevated Access sparingly. Grant it only when necessary and remove it immediately afterward.
Monitor everything. Use audit logs, activity logs, and Sentinel to track who, when, and why access was granted.
Stay proactive. Implement alerts and automation to reduce risk and detect unauthorized access quickly.