Home > Threat Library > Microsoft Entra role with permanent active members

Microsoft Entra role with permanent active members

Cayosoft Threat Definition CTD-000016

Protect Your Active Directory

Tune into Guardians of the Directory Podcast.

Guardians of the Directory

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Risk Summary

Permanent active role assignments might indicate threat activity. If a permanently active privileged account is compromised, an attacker gains immediate and continuous administrative access without just-in-time controls.

  • Severity: High
  • Platform: Entra ID 
  • Category: Privileged Access Management
  • MITRE ATT&CK Tactics: Persistence, Privilege Escalation, Defense Evasion
  • MITRE D3FEND Tactics: User Account Permissions

Description

Permanent active role assignments might be an indication of threat activities. If an account with permanent active role membership is compromised, a threat actor immediately gets access to administrative privileges. Using only time-limited role assignments for administrators increases security posture in your tenant because role activation can be protected with MFA at activation time or approval.

Cayosoft Guardian™

Real-World Scenario

An attacker phishes a helpdesk engineer who has a permanently active Privileged Role Administrator assignment. Because the role is always active, the attacker immediately creates a new global admin, adds a backdoor app role assignment, and disables alerting mailboxes to avoid detection. With continuous privileges, the attacker exfiltrates data and establishes persistence via additional permanent role assignments. Cayosoft Guardian detects the existence of permanent active members and raises CTD-000016 before or during the change review, enabling rapid removal and investigation.

Stop Privilege Escalation—Then Undo It with Cayosoft Guardian

Real-time alerts across AD & Entra ID with one-click rollback.

How to Detect (Cayosoft Guardian)

1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.

2.) View All Alerts and search for CTD-000016 or Microsoft Entra role with permanent active members.

3.) Open any alert and Click for details (from Raise Threat Alert action).

Remediation Steps

Using the remediation advice in Cayosoft Guardian, follow these steps to remove the vulnerability:
  1. ) Sign in to Microsoft Entra admin center with a user that is a member of the Privileged role administrator role.
  2. ) Open Microsoft Entra Privileged Identity Management.
  3. ) Select Microsoft Entra roles.
  4. ) Select Roles to see the list of roles for Microsoft Entra permissions.
  5. ) Select a role.
  6. ) Switch to the Active assignments tab.
  7. ) To remove assignment click on Remove.

How to Prevent It

  • Enforce PIM: require eligible, time-limited role assignments with approval and MFA on activation.
  • Prohibit permanent active assignments for privileged roles; allow exceptions only for break-glass accounts with strict controls.
  • Run periodic access reviews for privileged roles and remove inactive or unnecessary assignments.
  • Monitor for newly created permanent assignments and alert immediately (Cayosoft Guardian policy CTD-000016).

FAQ

A user or service principal assigned to a role that is always active (not eligible or time-limited), granting continuous privileges.

Yes, but limit them to the minimum, store credentials securely, exclude from conditional access where appropriate, and audit frequently.

Eligible users must activate the role just-in-time, often with approval and MFA, reducing persistence and privilege abuse risk.

References

Final Thought

Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Microsoft Entra role with permanent active members, you reduce attack surfaces and strengthen your organization’s overall security posture.