Provisioning Service Silence - Busy Job Stopped
06 AAD Prov Service Silence
Query
let Baseline =
AADProvisioningLogs
| where TimeGenerated between (ago(7d) .. ago(2h))
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize BaselinePerHour = count() / 168.0 by JobId, SPName
| where BaselinePerHour >= 100;
let Recent =
AADProvisioningLogs
| where TimeGenerated > ago(2h)
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize RecentEvents = count() by JobId, SPName;
Baseline
| join kind=leftouter (Recent) on JobId, SPName
| extend RecentEvents = coalesce(RecentEvents, 0)
| where RecentEvents == 0
| project JobId, SPName, BaselinePerHour, RecentEvents,
DropRatio = 1.0,
AlertReason = strcat("Job baseline ", round(BaselinePerHour,0), "/hr but 0 events in last 2h")
| order by BaselinePerHour descExplanation
This query is part of a scheduled task designed to monitor Azure Active Directory provisioning jobs. Here's a simple breakdown of what it does:
-
Purpose: The query checks for provisioning jobs that were previously active (producing at least 100 events per hour over the past 7 days) but have suddenly stopped producing any events in the last 2 hours. This sudden silence could indicate potential issues such as credential theft, sabotage, or a broken connector.
-
Data Source: It uses data from Azure Active Directory provisioning logs.
-
Process:
- Baseline Calculation: It calculates the average number of events per hour for each job over the past 7 days.
- Recent Activity Check: It checks for any events in the last 2 hours.
- Comparison: It identifies jobs that had a high baseline activity but have zero events in the recent 2-hour window.
-
Alert Generation: If a job meets the criteria (high baseline but no recent events), it generates an alert. The alert includes details like the job ID, service principal name, baseline activity rate, and a reason for the alert.
-
Severity and Tactics: The alert is marked with a medium severity and is associated with tactics like Defense Evasion and Impact, referencing specific MITRE ATT&CK techniques.
-
Incident Management: The query is configured to create incidents for these alerts, with options for grouping related alerts into a single incident.
In summary, this query helps detect potential issues in Azure AD provisioning jobs by identifying when a job that was previously busy suddenly stops, which could indicate a problem that needs attention.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 7d