Query Details

PIM Self-Activation of Tier-0 Directory Role

30 PIM Self Activation Tier0role

Query

// Tier-0 / high-impact Entra ID directory roles worth surfacing on PIM activation.
let Tier0Roles = dynamic([
    "Global Administrator",
    "Privileged Role Administrator",
    "Privileged Authentication Administrator",
    "Security Administrator",
    "Application Administrator",
    "Cloud Application Administrator",
    "Hybrid Identity Administrator",
    "Domain Name Administrator",
    "Exchange Administrator",
    "SharePoint Administrator",
    "User Administrator",
    "Conditional Access Administrator"
]);
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has "Add member to role completed (PIM activation)"
| where Result =~ "success"
// The actor is the human who activated the role, not the MS-PIM broker SP.
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend UserId            = tostring(InitiatedBy.user.id)
| extend UserIPAddress     = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(UserPrincipalName)
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName has_any (Tier0Roles)
| summarize
    ActivationCount = count(),
    Roles           = make_set(RoleName, 10),
    IPAddresses     = make_set(UserIPAddress, 10),
    FirstActivation = min(TimeGenerated),
    LastActivation  = max(TimeGenerated)
    by UserPrincipalName, UserId
| extend IPAddress = tostring(IPAddresses[0])
| order by LastActivation desc

Explanation

This query is designed to monitor and detect when a user self-activates a high-privilege role in Entra ID (formerly Azure Active Directory) using Privileged Identity Management (PIM). These roles, known as tier-0 roles, include positions like Global Administrator and Privileged Role Administrator, which have significant control over the directory.

Here's a simple breakdown of what the query does:

  1. Role Monitoring: It focuses on specific high-impact roles that are critical to the security and operation of the directory.

  2. Time Frame: The query checks for activations that occurred in the past hour.

  3. Success Check: It filters for successful activations of these roles.

  4. User Identification: The query identifies the actual user who activated the role, not the service principal that technically performs the activation.

  5. Data Collection: It gathers information about the user, including their username, user ID, and IP address.

  6. Role and Activation Details: It collects details about which roles were activated, how many times, and the time of the first and last activation within the query period.

  7. Alerting and Incident Management: If any such activations are detected, the system generates an alert. The alert includes details like the user's name, the roles activated, and the IP address used. It also checks if this activity is part of an authorized change window.

  8. Severity and Tactics: The alert is marked with medium severity and is associated with tactics like privilege escalation and persistence, referencing specific MITRE ATT&CK techniques.

  9. Incident Grouping: If multiple alerts are generated, they can be grouped into a single incident for easier management.

The purpose of this query is to provide visibility into potentially risky activities involving high-privilege roles, allowing security teams to verify whether these actions are legitimate and authorized.

Details

David Alonso profile picture

David Alonso

Released: June 18, 2026

Tables

AuditLogs

Keywords

AuditLogsUserRoleAdministratorIPAddressAccountActivationTimeGenerated

Operators

letdynamichas=~extendtostringisnotemptyhas_anysummarizecountmake_setminmaxbyorder bydesc

Severity

Medium

Tactics

PrivilegeEscalationPersistence

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub