Query Details
AD Role Additions
Query
# List All Role Additions ## Query Information #### Description This query list all role additions that have been performed in your tenant. See the Microsoft Link for the default roles that exsits in Azure Active Directory. They contain reader, operator, administrator and other roles. It is good practice to gain insight into the roles that have been assigned to accounts. Based on this query you can build a detection for specific roles with high priviliges such as Global Admin, Security Admin or Exchange Admin. #### References - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference ## Sentinel ``` AuditLogs | where OperationName == 'Add member to role' // If you do want to show PIM activations remove this filter | where Identity != 'MS-PIM' | extend RoleLine = tostring(extract(@'Role.DisplayName(.*?)"}', 1, tostring(TargetResources))) | extend Role = tostring(extract(@'newValue":"\\"(.*?)\\', 1, RoleLine)), userPrincipalName = parse_json(TargetResources).[0].userPrincipalName | project TimeGenerated, Role, OperationName, userPrincipalName, Identity ```
Explanation
This query lists all role additions that have been performed in your tenant. It filters out any PIM activations and extracts the role name, user principal name, and other relevant information for each role addition. The query helps you gain insight into the roles that have been assigned to accounts and allows you to detect specific roles with high privileges.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
AuditLogs
Keywords
Role,Addmembertorole,MS-PIM,Role.DisplayName,TargetResources,newValue,userPrincipalName,TimeGenerated,OperationName,Identity
Operators
where==|!=extendtostringextractparse_jsonproject