![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 33%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,129 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
You can use event query from Analytics blade to create a Rule which will trigger an Incident if any user gets assigned a Global Administrator (Company administrator) role from Office 365 portal.
Please find below the event rule which you can use on Azure AD Audit logs -
AuditLogs
| where Category == "RoleManagement"
and OperationName == "Add member to role"
and Identity == "Microsoft Office 365 Portal"
and AADOperationType == "Assign"
and TargetResources[0].modifiedProperties[1].newValue contains "Company Administrator"
Once this rule is run Sentinel will display incidents under "Incidents" blade which you can further investigate. You can also modify the above query and the event rule to display only relevant information.
