Query Details
Access Review On Role Assignable Group Auto Deleted
Query
AuditLogs | where TimeGenerated > ago(90d) | where OperationName == "Delete access review" | where AdditionalDetails[0].value endswith "was auto-deleted because a group in this review was assigned to a privileged role" //This happens when a role such as identity Governance Admin Tries to do an access review on a role assignable group.
Explanation
This query is searching through audit logs to find specific events that occurred in the last 90 days. It is looking for instances where an access review was deleted automatically. The reason for this automatic deletion is that a group involved in the review was assigned to a privileged role, such as the Identity Governance Admin. Essentially, the query is identifying situations where an access review couldn't proceed because it involved a group with elevated permissions.
Details
Jay Kerai
Released: November 2, 2025
Tables
AuditLogs
Keywords
AuditLogsTimeGeneratedOperationNameAdditionalDetailsIdentityGovernanceAdminAccessReviewRoleGroup
Operators
AuditLogswhereTimeGeneratedagoOperationName==AdditionalDetails[]valueendswith