KQL Search

Query Details

HomeAI ToolsDevice Query

Audit When PIM Fails To Remove An Eligible Member From Role

Query

//Original Source: https://azurewithtom.com/posts/MSRC-Case-When-Temporary-Global-Admin-Rights-Don-t-Expire-in-Microsoft-Entra-PIM/
AuditLogs
| where TimeGenerated >= ago(90d)
| where OperationName == "Remove eligible member from role in PIM completed (timebound)"
| where Result == "failure"
| where ResultReason contains "CannotDeleteLastAdminAssignment"
| extend
    TargetUser = tostring(TargetResources[2].userPrincipalName),
    RoleName = tostring(TargetResources[0].displayName)
//| where RoleName == "Global Administrator" //if you want scope to only GA as per the original article
| project
    TimeGenerated,
    OperationName,
    TargetUser,
    RoleName,
    ResultReason,
    CorrelationId
| sort by TimeGenerated desc
//Always maintain a breakglass. see my article on breakglass guidance here https://www.linkedin.com/pulse/main-reason-you-shouldnt-exclude-break-glass-group-access-kerai-4dtve/

Explanation

This query is designed to analyze audit logs in Microsoft Entra (formerly Azure Active Directory) to identify instances where attempts to remove a user from a role in Privileged Identity Management (PIM) failed. Specifically, it looks for failures due to the reason "CannotDeleteLastAdminAssignment," which indicates that the operation could not be completed because it would result in no remaining administrators for that role.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It examines logs from the past 90 days.
  2. Operation Filter: It focuses on operations where there was an attempt to remove an eligible member from a role in PIM, but the operation failed.
  3. Failure Reason: It specifically looks for failures where the reason is that the last admin assignment cannot be deleted.
  4. Data Extraction: It extracts relevant details such as the target user's principal name, the role name, the reason for the failure, and a correlation ID for tracking.
  5. Sorting: The results are sorted by the time the event was generated, in descending order, so the most recent events appear first.

The query can be further refined to focus only on the "Global Administrator" role by uncommenting the specified line. Additionally, the note at the end emphasizes the importance of maintaining a "breakglass" account, which is an emergency account with elevated privileges that can be used if normal administrative access is lost.

Details

Jay Kerai profile picture

Jay Kerai

Released: October 19, 2025

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedOperationNameResultResultReasonTargetUserRoleNameCorrelationId

Operators

AuditLogs|where>=ago==containsextendtostringprojectsort bydesc

Actions