Query Details

PIM Role Activation Followed by Non-Interactive Token Use

12 PIM Abuse Non Interactive Admin Action

Query

let PIMActivations =
    AuditLogs
    | where TimeGenerated > ago(2h)
    | where OperationName has "Add member to role completed (PIM activation)"
    | extend UPN = tostring(InitiatedBy.user.userPrincipalName)
    | where isnotempty(UPN)
    | project
        ActivationTime = TimeGenerated,
        UPN,
        RoleName       = tostring(TargetResources[0].displayName);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| join kind=inner PIMActivations on $left.UserPrincipalName == $right.UPN
| where TimeGenerated > ActivationTime
   and  (TimeGenerated - ActivationTime) < 30m
| project
    NISignInTime       = TimeGenerated,
    ActivationTime,
    UserPrincipalName,
    RoleName,
    AppDisplayName,
    IPAddress,
    Location,
    TimeSincePIMActivation = (TimeGenerated - ActivationTime)
| order by NISignInTime desc

Explanation

This query is designed to detect potentially suspicious activity involving the use of Privileged Identity Management (PIM) in Azure Active Directory. Here's a simple breakdown of what it does:

  1. Purpose: It looks for instances where a user activates a privileged role using PIM and then quickly uses a non-interactive token from that elevated session within 30 minutes. This behavior might suggest that someone is trying to temporarily elevate their privileges and perform administrative tasks without being noticed.

  2. Data Sources: The query uses data from Azure Active Directory, specifically:

    • Audit logs to track PIM role activations.
    • Non-interactive user sign-in logs to find token usage.
  3. Detection Logic:

    • It first identifies PIM role activations within the last two hours.
    • Then, it checks for non-interactive sign-ins by the same user within 30 minutes after the role activation.
    • If such activity is found, it suggests a potential misuse of PIM.
  4. Severity and Alerts: The query is set to a high severity level, indicating the importance of the detected activity. If the query finds any matches, it triggers an alert with details about the user, role, application, and IP address involved.

  5. MITRE ATT&CK Techniques: The query is associated with techniques like Valid Accounts (T1078), Account Manipulation (T1098), and Access Token Manipulation (T1134), which are common tactics used by attackers.

  6. Incident Management: If an alert is generated, it can create an incident in the monitoring system, allowing security teams to investigate further.

In summary, this query helps identify potential abuse of privileged roles in Azure by detecting quick, non-interactive token usage after a PIM role activation, which could indicate unauthorized administrative actions.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AuditLogsAADNonInteractiveUserSignInLogs

Keywords

PrivilegedIdentityManagementUserTokenRoleAccountIPLocationApp

Operators

letwhereagohasextendtostringisnotemptyprojectjoinkindon==>and<order bydesc

Severity

High

Tactics

PrivilegeEscalationPersistenceDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub