Bulk Attribute Churn on Privileged Target
05 AAD Prov Attribute Churn Privileged
Query
let PrivilegedUsers =
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where isnotempty(AssignedRoles) and AssignedRoles != "[]"
| project AccountUPN, AssignedRoles;
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Success"
| where ProvisioningAction in~ ("Update","Other")
| extend TargetUpn = tostring(parse_json(TargetIdentity).userPrincipalName)
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| where isnotempty(TargetUpn)
| join kind=inner (PrivilegedUsers) on $left.TargetUpn == $right.AccountUPN
| mv-expand Mod = todynamic(ModifiedProperties)
| extend PropName = tostring(Mod.displayName),
OldValue = tostring(Mod.oldValue),
NewValue = tostring(Mod.newValue)
| where isnotempty(PropName)
| summarize
AttributesChanged = dcount(PropName),
Props = make_set(PropName, 20),
ChangeId_count = dcount(ChangeId),
AssignedRoles = any(AssignedRoles),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by TargetUpn, SPName
// 5 attribute changes in 1h against a privileged user is highly unusual
| where AttributesChanged >= 5
| order by AttributesChanged descExplanation
This query is designed to detect suspicious activity involving privileged user accounts in Azure Active Directory. Here's a simplified breakdown:
-
Purpose: The query identifies cases where five or more attribute changes are made to a single privileged user account within one hour. This is considered unusual and could indicate a potential account takeover attempt.
-
Target: It focuses on users with directory roles in Entra ID, which means they have elevated privileges.
-
Attributes Monitored: The query looks for changes in attributes like
ProxyAddresses,UserPrincipalName,OnPremisesImmutableId, MFA phone, MFA email, orOtherMails. These changes could be used by attackers to manipulate account settings or intercept communications. -
Data Source: It uses logs from Azure Active Directory provisioning activities to track changes.
-
Detection Logic:
- It first identifies privileged users by checking their assigned roles.
- It then looks at provisioning logs from the past hour to find successful updates or other actions on these users.
- It counts the number of different attributes changed for each user.
- If a user has five or more attribute changes within an hour, it flags this as suspicious.
-
Alerting: If such activity is detected, an alert is generated with details about the user, the service principal involved, and the specific attributes changed. This alert is considered high severity due to the potential risk of account takeover.
-
Incident Management: The system can automatically create an incident for further investigation, grouping related alerts to provide a comprehensive view of the potential threat.
Overall, this query helps security teams quickly identify and respond to potential security threats involving privileged accounts in their Azure environment.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h