Mass User Disable via Provisioning
02 AAD Prov Mass Disable
Query
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Success"
| where ProvisioningAction =~ "Disable"
or (OperationName has_any ("Disable", "disable") and ProvisioningAction !~ "Other")
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| extend InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName)
| extend InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
| extend TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName)
| extend TargetId = tostring(parse_json(TargetIdentity).id)
| summarize
DisabledCount = count(),
Targets = make_set(TargetUpn, 50),
Jobs = make_set(JobId, 10),
Cycles = make_set(CycleId, 10),
Initiators = make_set(coalesce(InitiatorUpn, InitiatorApp), 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SPName
// Threshold: 10/hour catches deliberate mass-disable while ignoring routine HR-driven offboarding spikes
| where DisabledCount >= 10
| order by DisabledCount descExplanation
This query is designed to detect potential security threats by identifying when 10 or more user accounts are disabled within a single hour through provisioning actions in Azure Active Directory (AAD). This could indicate a mass user disablement attack, which is a tactic used by attackers to lock out legitimate users or prepare for account takeover.
Here's a simplified breakdown of the query:
-
Data Source: It uses logs from Azure Active Directory provisioning actions.
-
Time Frame: It looks at logs from the past hour.
-
Success Check: It filters for provisioning actions that were successful.
-
Action Type: It specifically looks for "Disable" actions, which indicate user accounts being disabled.
-
Data Extraction: It extracts details such as the service principal name (SPName), the initiator's user principal name or app name, and the target user's principal name and ID.
-
Summarization: It counts the number of disable actions and collects details about the targets, jobs, cycles, and initiators involved.
-
Threshold: It flags cases where 10 or more disable actions occur within an hour, which could suggest a deliberate mass-disable attack rather than routine HR-driven actions.
-
Alerting: If the threshold is met, it generates an alert with details about the number of accounts disabled and the service responsible.
-
Incident Management: It creates an incident if such an alert is triggered, grouping related alerts to manage them effectively.
Overall, this query helps security teams identify and respond to potential security incidents involving mass user disablement in a timely manner.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h