Query Details
Addedor Assigned Global Administratorroleperms
Query
AuditLogs | where OperationName == "Add member to role" and AADOperationType == "Assign" and Result =="success" | mv-expand TargetResources | extend modifiedProperties = parse_json(TargetResources).modifiedProperties | mv-expand modifiedProperties | extend DisplayName = tostring(parse_json(modifiedProperties).displayName), GroupName = tostring(parse_json(modifiedProperties).newValue) | where GroupName == "\"TenantAdmins\""
Explanation
This query is searching through the AuditLogs table for entries where a member is added to a role, the operation type is an assignment, and the result is successful. It then expands the TargetResources column and extracts the modifiedProperties. The modifiedProperties are further expanded and the displayName and newValue are extracted. Finally, it filters the results to only include entries where the GroupName is "TenantAdmins".
Details
Rod Trent
Released: July 8, 2020
Tables
AuditLogs
Keywords
AuditLogs,OperationName,AADOperationType,Result,TargetResources,modifiedProperties,DisplayName,GroupName
Operators
======andandand|whereand==and==and==|mv-expand|extend=parse_json.modifiedProperties|mv-expandmodifiedProperties|extend=tostringparse_json.displayName,=tostringparse_json.newValue|where==