When a new user account is created and immediately assigned an administrative role, it can indicate that an attacker with existing admin access is establishing a backdoor — a secondary account they control that they can use to maintain access even if the primary compromised account is detected and remediated.
Legitimate user creation followed by admin role assignment does happen in normal operations, but it's a relatively rare combination that should always have a clear business justification. An attacker who has obtained Global Admin access will often create a new account with a plausible-sounding name, assign it admin rights, and use it as a persistent foothold that doesn't draw attention the way continued use of the original compromised account might.
This is particularly dangerous because the new account may not be subject to the same monitoring, MFA policies, or Conditional Access rules as established accounts, especially if it's created just before those policies would apply.
Legitimate scenarios for creating a user and immediately assigning an admin role include:
In all cases, there should be a corresponding onboarding ticket, change request, or approval record. The account should follow your naming conventions, be assigned to a real person or documented service purpose, and be subject to MFA and Conditional Access from the outset.
Overe Auto-Response: The User Account Created and Made Admin alert can be configured in Overe to trigger automatic session revocation or account block when this combination of events is detected. Review your Auto-Response settings under Org Config > Auto-Response — given the backdoor risk, an automated response for this alert type is strongly recommended.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating a new admin account creation alert, review these related risk areas: