Privileged Group Membership Change via Provisioning
04 AAD Prov Privileged Group Change
Query
AADProvisioningLogs
| where TimeGenerated > ago(2h)
| where ResultType =~ "Success"
| extend Target = tostring(parse_json(TargetIdentity).displayName)
| extend TargetType = tostring(parse_json(TargetIdentity).IdentityType)
| extend Modified = tostring(ModifiedProperties)
| where TargetType =~ "Group" or Target has_any ("Admin","Tier0","Sensitive","Privileged","PIM")
| where Modified has_any ("members","memberOf","Members","appRoleAssignments","directoryRoles")
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| extend InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName)
| extend InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
| project TimeGenerated, JobId, CycleId, ChangeId, SPName,
Initiator = coalesce(InitiatorUpn, InitiatorApp),
TargetGroup = Target,
OperationName, ProvisioningAction, ModifiedProperties
| order by TimeGenerated descExplanation
This query is designed to detect changes in membership of privileged groups through provisioning operations, which is unusual and could indicate a security threat. Here's a simple breakdown:
-
Purpose: The query identifies when membership of important security groups (like
Domain Admins,Global Administrators, or any group with names containingAdmin,Tier0,Sensitive, etc.) is altered via provisioning processes. Such changes are not typical and should be investigated immediately. -
Data Source: It uses logs from Azure Active Directory, specifically the
AADProvisioningLogs. -
Frequency: The query runs every hour and checks for changes made in the last two hours.
-
Severity: The alert generated by this query is marked as high severity due to the potential security implications.
-
Detection Logic:
- It looks for successful provisioning operations.
- It checks if the target of these operations is a group with a name indicating high privilege.
- It examines if the changes involve group membership or role assignments.
-
Output: The query lists details like the time of change, the service principal name, the initiator of the change, the target group, and the type of operation performed.
-
Alerting: If such a change is detected, an alert is generated with a specific format, highlighting the service and group involved.
-
Incident Management: The system can create incidents for these alerts, grouping them by the cloud application involved, to help manage and investigate potential security incidents efficiently.
Overall, this query helps in monitoring and securing privileged group memberships by flagging unusual provisioning activities that could be indicative of unauthorized access or privilege escalation attempts.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h