Tenant Admin Group
The tenant admin group is a hidden group in O365 that is only visible in the Exchange portal. All Global Admins are added to this group behind the scenes.
This is why you see a number of built-in alerts in Sentinel that look for the "TenantAdmins" group.
Check out the query below that begins the "User added to Azure Active Directory Privileged Groups" alert.
As you investigate this query, you may find that you see someone being added to the TenantAdmins group even though that group doesn't actually live in your tenant if you tried to search it out.
Below you can see a detection for this alert, although the TenantAdmins wouldn't be found if you searched it in Entra.
To find this group, go to the Exchange Admin Center> > Admin roles and then search TenantAdmins and you'll see a group named TenantAdmins_{ID}. This ID seems to be unique per each organization.
Further reading:
- https://answers.microsoft.com/en-us/msoffice/forum/all/membership-of-tenantadmins-group/9a9bfa87-b815-44c7-9166-55a21f7e78cf
- Here is that example rule on the Sentinel GitHub: https://github.com/Azure/Azure-Sentinel/blob/7f1b9e743f19f4a084c946e7152ab79a56d71b0e/Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml#L2