Mass User Deletion via Provisioning
03 AAD Prov Mass Deletion
Query
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Success"
| where ProvisioningAction in~ ("Delete", "StagedDelete")
or OperationName has_any ("Delete", "Remove")
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| extend InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName)
| extend InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
| extend TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName)
| summarize
DeletedCount = count(),
Targets = make_set(TargetUpn, 30),
Jobs = make_set(JobId, 10),
Initiators = make_set(coalesce(InitiatorUpn, InitiatorApp), 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SPName
// Conservative: 5/hour is well above legitimate scheduled-purge spikes
| where DeletedCount >= 5
| order by DeletedCount descExplanation
This query is designed to detect unusual activity in Azure Active Directory (AAD) where five or more user accounts are deleted via provisioning actions within a one-hour period. Normally, user accounts are disabled first and only deleted after a retention period, so a sudden spike in deletions could indicate a problem, such as an error in data processing or a malicious attempt to remove accounts.
Here's a simple breakdown of the query:
-
Purpose: To identify when five or more user accounts are deleted through provisioning actions in AAD within an hour, which is considered abnormal.
-
Data Source: It uses logs from Azure Active Directory, specifically the
AADProvisioningLogs. -
Conditions:
- The action must have occurred in the last hour.
- The result of the action must be successful.
- The action type should be either "Delete" or "StagedDelete".
-
Output:
- Counts the number of deletions.
- Lists the user accounts affected.
- Identifies who initiated the deletions.
- Records the time range during which these deletions occurred.
-
Alerting:
- If five or more deletions are detected, an alert is triggered.
- The alert includes details like the number of accounts deleted and the service responsible.
-
Severity and Tactics:
- The severity of this alert is marked as high.
- It relates to tactics like account access removal and data destruction, as per MITRE ATT&CK framework.
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents are grouped by the cloud application responsible for the deletions.
This query helps in monitoring and responding to potential security threats or operational issues related to user account management in Azure Active Directory.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h