DGOV-Bryce
commented
1 year ago From what I can tell looking over the KQL of the alerts, "Azure AD Role Management Permission Grant" furthers it's reach to when Delegated Access is granted, too. However, "Admin promotion after Role Management Application Permission Grant" looks for those two specific actions in order, where the previous rule only looks at the initial permission granting action.
They are two somewhat different rules that will overlap, but not always, putting in the same (or similar/expanded) instructions to each would be fine in these cases.
carel-v98
Not sure the reason for having this when we have "Admin promotion after Role Management Application Permission Grant"