Query Details

PIM Role Activation Followed by ADFS Sign-In

20 ADFS PIM Activation Federation Abuse

Query

let PIMActivations =
    AuditLogs
    | where TimeGenerated > ago(2h)
    | where OperationName has "Add member to role completed (PIM activation)"
    | extend UPN = tostring(InitiatedBy.user.userPrincipalName)
    | where isnotempty(UPN)
    | project
        ActivationTime = TimeGenerated,
        UPN,
        RoleName = tostring(TargetResources[0].displayName);
ADFSSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| join kind=inner PIMActivations on $left.UserPrincipalName == $right.UPN
| where TimeGenerated > ActivationTime
   and  (TimeGenerated - ActivationTime) < 30m
| project
    ADFSSignInTime     = TimeGenerated,
    ActivationTime,
    UserPrincipalName,
    RoleName,
    AppDisplayName,
    IPAddress,
    Location,
    AuthenticationRequirement,
    TimeSincePIM       = (TimeGenerated - ActivationTime)
| order by ADFSSignInTime desc

Explanation

This query is designed to detect suspicious activity involving the use of Azure AD Privileged Identity Management (PIM) and Active Directory Federation Services (ADFS). Here's a simple breakdown:

  1. Purpose: The query identifies instances where a user activates a privileged role using Azure AD PIM and then logs in through ADFS within 30 minutes. This pattern suggests potential misuse of elevated privileges, possibly indicating that an attacker has gained unauthorized access.

  2. Data Sources: It uses data from Azure Active Directory, specifically the ADFSSignInLogs and AuditLogs.

  3. Process:

    • It first looks for PIM role activations in the last 2 hours.
    • Then, it checks for successful ADFS sign-ins within the same timeframe.
    • It matches these sign-ins to the PIM activations to see if they occurred within 30 minutes after the role was activated.
  4. Output: If such a sequence is detected, it logs details like the time of ADFS sign-in, the role activated, the user's principal name, IP address, and location.

  5. Severity and Response: The alert is marked as high severity, indicating a significant security concern. If triggered, it creates an incident for further investigation.

  6. Security Implications: This pattern is associated with privilege escalation and lateral movement tactics, which are common in cyber attacks where attackers aim to gain higher access and move within a network.

Overall, the query helps security teams quickly identify and respond to potential security breaches involving elevated privileges and federated authentication.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsAuditLogs

Keywords

UserAzureADPrivilegedIdentityManagementADFSFederationAccountRoleActivationPrivilegesLogsTimeGeneratedOperationNameInitiatedByUserPrincipalNameTargetResourcesDisplayNameResultTypeAppDisplayNameIPAddressLocationAuthenticationRequirement

Operators

let|where>agohasextendtostringisnotemptyproject==joinkind=inneron$and-<order bydesc

Severity

High

Tactics

PrivilegeEscalationLateralMovementPersistence

MITRE Techniques

Frequency: 30m

Period: 2h

Actions

GitHub