Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence

This Datadog SecurityLabs report analyzes how Microsoft Entra ID Administrative Units (AUs) can be legitimately used for least-privilege management but also abused by attackers with Global Administrator or Privileged Role Administrator privileges: restricted management AUs can make backdoor accounts difficult for tenant-wide admins to modify or remove, while hidden membership AUs can conceal which users are in scope for scoped role assignments; the report includes reproduction steps, Stratus Red Team emulations, detection recommendations using Entra audit logs, and remediation/playbook guidance.