diff --git a/AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).yaml b/AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).yaml
new file mode 100644
index 0000000..6aae655
--- /dev/null
+++ b/AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).yaml	
@@ -0,0 +1,55 @@
+id: 0693eef5-6325-4a20-8963-7c05d506f6ef
+name: NRT User elevated access to User Access Administrator for Azure Resources (MCAS)
+version: 1.0.0
+kind: NRT
+description: |-
+  Entra ID Global Administrators can elevate their access to all subscriptions and management groups in a tenant.
+  Elevated access is highly privileged access and might be used to laterally move from Entra ID to Azure resouces.
+  Additional information: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin.
+severity: Medium
+tactics:
+- PrivilegeEscalation
+- Persistence
+relevantTechniques:
+- T1078.004
+query: |-
+  // Detect elevation via MCAS
+  CloudAppEvents
+  | where RawEventData.operationName == "Microsoft.Authorization/elevateAccess/action"
+  | extend EvidenceRole = extract_json('$.evidence.role', tostring(RawEventData.authorization))
+  | project
+      TimeGenerated,
+      Actor = AccountId,
+      OperationName = EvidenceRole,
+      IPAddress,
+      Result = RawEventData.status,
+      LoggedByService = Type
+  | where Result =~ "Succeeded" // Uncomment to detect attempts
+alertDetailsOverride:
+  alertDynamicProperties: []
+customDetails:
+  OperationName: OperationName
+entityMappings:
+- entityType: Account
+  fieldMappings:
+  - identifier: AadUserId
+    columnName: Actor
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: IPAddress
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+