PIM Role Activation Followed by Non-Interactive Token Use
12 PIM Abuse Non Interactive Admin Action
Query
let PIMActivations =
AuditLogs
| where TimeGenerated > ago(2h)
| where OperationName has "Add member to role completed (PIM activation)"
| extend UPN = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(UPN)
| project
ActivationTime = TimeGenerated,
UPN,
RoleName = tostring(TargetResources[0].displayName);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| join kind=inner PIMActivations on $left.UserPrincipalName == $right.UPN
| where TimeGenerated > ActivationTime
and (TimeGenerated - ActivationTime) < 30m
| project
NISignInTime = TimeGenerated,
ActivationTime,
UserPrincipalName,
RoleName,
AppDisplayName,
IPAddress,
Location,
TimeSincePIMActivation = (TimeGenerated - ActivationTime)
| order by NISignInTime descExplanation
This query is designed to detect potentially suspicious activity involving the use of Privileged Identity Management (PIM) in Azure Active Directory. Here's a simple breakdown of what it does:
-
Purpose: It looks for instances where a user activates a privileged role using PIM and then quickly uses a non-interactive token from that elevated session within 30 minutes. This behavior might suggest that someone is trying to temporarily elevate their privileges and perform administrative tasks without being noticed.
-
Data Sources: The query uses data from Azure Active Directory, specifically:
- Audit logs to track PIM role activations.
- Non-interactive user sign-in logs to find token usage.
-
Detection Logic:
- It first identifies PIM role activations within the last two hours.
- Then, it checks for non-interactive sign-ins by the same user within 30 minutes after the role activation.
- If such activity is found, it suggests a potential misuse of PIM.
-
Severity and Alerts: The query is set to a high severity level, indicating the importance of the detected activity. If the query finds any matches, it triggers an alert with details about the user, role, application, and IP address involved.
-
MITRE ATT&CK Techniques: The query is associated with techniques like Valid Accounts (T1078), Account Manipulation (T1098), and Access Token Manipulation (T1134), which are common tactics used by attackers.
-
Incident Management: If an alert is generated, it can create an incident in the monitoring system, allowing security teams to investigate further.
In summary, this query helps identify potential abuse of privileged roles in Azure by detecting quick, non-interactive token usage after a PIM role activation, which could indicate unauthorized administrative actions.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h