KQL Search

This query is designed to monitor and identify specific role assignments related to device administration within an organization. Here's a simplified breakdown:

1. Source of Data: The query is examining logs from AuditLogs, which track various activities within the system.

2. Activity Filter: It focuses on the activity where a member is added to a role, specifically filtering for the activity named "Add member to role".

3. Role Assignment Check: The query checks if the new role assigned is either "Device Local Administrator" or "DeviceAdministrators". This is done by parsing the modifiedProperties of the TargetResources to identify these specific roles.

4. Best Practice Note: The comments suggest that instead of assigning these roles directly, it's better to assign a custom role called "LAPS Reader" and associate it with an admin unit. This is considered a best practice for managing local administrator privileges.

5. Optional Filter: There's a commented-out line that, if activated, would filter the results to include only those assignments that are tenant-wide, meaning they are not restricted to any specific administrative unit.

In summary, the query is used to track when users are added to specific device administration roles, with a recommendation to use a more secure and controlled approach by assigning a custom role instead.