CrowdStrike has observed the challenges that organizations face auditing Azure AD permissions, which is a time-consuming and complex process. CrowdStrike does not have any attribution and does not know of any connection to SUNBURST at this time. Microsoft Threat Intelligence Center identified a resellers Microsoft. Azure account used for managing CrowdStrikeCrowdStrikes Microsoft Office licenses was observed making abnormal calls to Microsoft. APIs during a 17-hour. period several months ago.”]