Active Directory - Sensitive Group Membership Changes
AD Sensitive Group Changes
Query
// Monitor Active Directory sensitive Group Membership changes
// Active Directory, sensitive groups
let SensitiveGroups = dynamic(["Administrators","Power Users","Account Operators" ,"Server Operators","Print Operators","Backup Operators","Replicators","Network Configuration Operators","Incoming Forest Trust Builders",
"Domain Admins","Domain Controllers","Group Policy Creator Owners","read-only Domain Controllers","Enterprise Read-only Domain Controllers","Enterprise Admins","Schema Admins","Microsoft Exchange Servers"
"Remote Desktop Users","Remote Management Users","DnsAdmins","Protected Users"]);
// Active Directory, custom sensitive groups
let customSensitiveGroups = dynamic(["NLAdmins"]);
IdentityDirectoryEvents
| where Timestamp > ago (2h)
| where ActionType == "Group Membership changed"
| extend Actor = tostring(AdditionalFields ['ACTOR.ACCOUNT'])
| extend ActorUpn = AccountUpn
| extend TargetObjectIdentity = iff(AdditionalFields contains "TARGET_OBJECT.USER",AdditionalFields['TARGET_OBJECT.USER'],iff(AdditionalFields contains "TARGET_OBJECT.GROUP",AdditionalFields['TARGET_OBJECT.GROUP'],"undefined"))
| extend TargetObjectType = iff(AdditionalFields contains "TARGET_OBJECT.USER","User",iff(AdditionalFields contains "TARGET_OBJECT.GROUP","Group","undefined"))
| extend Operation = iff(AdditionalFields contains "TO.GROUP","Add",iff(AdditionalFields contains "FROM.GROUP","Remove","Undefined"))
| extend ChangedGroup = iff(Operation == "Add", AdditionalFields['TO.GROUP'],iff(Operation == "Remove", AdditionalFields['FROM.GROUP'],"Undefined"))
| extend IsSensitive = iff( ChangedGroup in (SensitiveGroups) or ChangedGroup in (customSensitiveGroups),"1","0")
| join kind= leftouter(IdentityInfo
| distinct AccountObjectId , AccountUpn, IsAccountEnabled, CloudSid )
on $left. TargetAccountUpn == $right. AccountUpn
| extend AccountUpn = AccountUpn1
| extend AccountSid = CloudSid
| extend AccountObjectId = AccountObjectId1
| sort by Timestamp
| where IsSensitive == "1"
| project Timestamp , ActionType,Operation, ChangedGroup,Actor, ActorUpn,LegitActor, TargetObjectIdentity,TargetAccountUpn, AccountUpn, AccountObjectId, AccountSid,TargetAccountDisplayName, IsAccountEnabled , TargetObjectType , IsSensitive, DestinationDeviceName, ReportIdAbout this query
Active Directory - Sensitive Group Membership Changes
Query Information
Description
Use the below query to monitor Active Directory sensitive group changes
References
Microsoft 365 Defender
Explanation
This KQL query is designed to monitor changes in membership for sensitive groups within Active Directory. Here's a simplified breakdown of what the query does:
-
Define Sensitive Groups: The query starts by defining a list of sensitive groups, such as "Administrators", "Domain Admins", and other critical groups that require monitoring. It also includes a custom group called "NLAdmins".
-
Filter Events: It looks at events from the
IdentityDirectoryEventstable that have occurred in the last 2 hours (Timestamp > ago(2h)) and specifically filters for events where the action type is "Group Membership changed". -
Extract Information: The query extracts various pieces of information from the events, such as:
- The actor who made the change.
- The target object (user or group) whose membership was changed.
- The type of operation (whether a user was added to or removed from a group).
- The group that was changed.
-
Identify Sensitive Changes: It checks if the changed group is one of the predefined sensitive groups. If it is, it marks the change as sensitive.
-
Join with Identity Information: The query joins the results with the
IdentityInfotable to get additional details about the accounts involved, such as their unique identifiers and whether the account is enabled. -
Filter and Sort: It filters the results to only include changes that are marked as sensitive and sorts them by the timestamp.
-
Project Results: Finally, it selects specific columns to display in the output, providing a clear view of the sensitive group membership changes, including details about the actor, the operation, and the target.
Overall, this query helps administrators monitor and review changes to critical group memberships in Active Directory, ensuring that any unauthorized or suspicious changes can be quickly identified and investigated.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators