diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml
new file mode 100644
index 000000000..712a9aaaa
--- /dev/null
+++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml
@@ -0,0 +1,22 @@
+title: Azure Subscription Permission Elevation Via ActivityLogs
+id: 09438caa-07b1-4870-8405-1dbafe3dad95
+status: experimental
+author: Austin Songer @austinsonger
+date: 2021/11/26
+description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
+references:
+  - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
+logsource:
+  product: azure
+  service: azure.activitylogs
+detection:
+    selection1:
+        properties.message: 
+            - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
+    condition: selection1
+level: high
+falsepositives:
+  - If this was approved by System Administrator.
+tags:
+  - attack.initial_access
+  - attack.t1078
diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml
new file mode 100644
index 000000000..798468f2d
--- /dev/null
+++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml
@@ -0,0 +1,22 @@
+title: Azure Subscription Permission Elevation Via AuditLogs
+id: ca9bf243-465e-494a-9e54-bf9fc239057d
+status: experimental
+author: Austin Songer @austinsonger
+date: 2021/11/26
+description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
+logsource:
+  product: azure
+  service: azure.auditlogs
+detection:
+  selection:
+    Category: 'Administrative'
+    OperationName: 'Assigns the caller to user access admin'
+  condition: selection
+level: high
+falsepositives:
+  - If this was approved by System Administrator.
+tags:
+  - attack.initial_access
+  - attack.t1078