title: Trusted Relationship (T1199)
id: df00tech-t1199
status: experimental
description: "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationships abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. These relationships include IT services contractors, managed security providers, and infrastructure contractors. In Office 365 and Azure AD environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant."
references:
  - https://attack.mitre.org/techniques/T1199/
  - https://df00tech.com/detections/T1199
author: df00tech
date: 2026/04/19
tags:
  - attack.t1199
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate MSP or IT service provider onboarding — new partner relationships being established with proper change management approval will trigger delegated admin grant events
  - Authorized Azure AD B2B guest user provisioning for vendors or contractors accessing collaboration tools like Teams or SharePoint
  - "Microsoft first-party service accounts (e.g., Microsoft Support, Intune Service Principal) appearing as cross-tenant sign-ins when performing tenant management actions"
  - Scheduled MSP maintenance windows where service provider accounts access privileged resources as part of contracted SLA obligations
  - Security team adding a MSSP or MDR provider with Global Reader or Security Reader role for monitoring purposes
level: high